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Foreword 



rd , 



This Technical Specification has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

X the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 



The present specification details the stage 3 work related to all 3GPP AAA reference points used by the different non- 
3GPP accesses included in EPS; it will also cover H2 reference point defined in I-WLAN mobility. 
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Scope 



The present document defines the stage-3 protocol description for several reference points for the non-3GPP access in 
EPS. 

The present document is applicable to: 

• The SWa reference point between an un-trusted non-3GPP IP access and the 3GPP AAA Server/Proxy. 

• The STa reference point between a trusted non-3GPP IP access and the 3GPP AAA Server/Proxy. 

• The SWd reference point between the 3GPP AAA Proxy and 3GPP AAA Server. 

• The SWx reference point between the 3GPP AAA Server and the HSS. 

• The S6b reference point between the 3GPP AAA Server/Proxy and the PDN GW. 

• The H2 reference point between the 3GPP AAA Server and the HA. 

• The S Wm reference point between the 3GPP AAA Server/Proxy and the ePDG. 
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Definitions, symbols and abbreviations 



3.1 



Definitions 



3.1.1 General 

For the purposes of the present document, the terms and definitions given in 3GPP TR 21.905 [1] and the following 
apply. A term defined in the present document takes precedence over the definition of the same term, if any, in 3GPP 
TR 21.905 [1]. 

3.1 .2 Handling of Information Elements 

In the tables that describe the Information Elements transported by each Diameter command, each Information Element 
is marked as (M) Mandatory, (C) Conditional or (O) Optional in the Category "Cat." column. For the correct handling 
of the Information Elements and their precedence to any included ABNF definition of the command as defined 
according to their category types, see the description detailed in section 6 of the 3GPP TS 29.228 [22]. 



3.2 



Abbreviations 



For the purposes of the present document, the abbreviations given in 3GPP TR 21.905 [1] and the following apply. An 
abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in 
3GPPTR 21.905 [1]. 

AE Authentication Extension 

EPC Evolved Packet Core 

ePDG Evolved Packet Data Gateway 

eHRPD evolved High Rate Packet Data 

FA Foreign Agent 

FACoA FA Care-of- Address 

HA Home Agent 

HBM Host Based MobiHty 

HSGW eHRPD Serving Gateway 

LMA Local Mobility Anchor 

MAG Mobile Access Gateway 

MlPv4 Mobile IP version 4 

MN Mobile Node 

NBM Network Based Mobihty 

NAS Network Access Server 

PBU Proxy Binding Update 

PMlP/PMlPv6 Proxy Mobile IP version 6 

RRP MlPv4 Registration Reply 

RRQ MlPv4 Registration Request 

SA Security Association 

SGW Serving Gateway 

SIPTO Selected IP Traffic Offload 



4 SWa Description 

4.1 Functionality 



4.1.1 



General 



The SWa reference point is defined between the untrusted non-3GPP IP access and the 3GPP AAA Server or Proxy. 
The definition of the reference point and its functionality is given in 3GPP TS 23.402 [3]. 
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The SWa reference point is optionally used to authenticate and authorize the UE for the access to the EPS. It is up to the 
non-3GPP operator" s policy whether this interface and the procedures defined in this section are used. 

NOTE: From the EPS operator's view, the tunnel authentication and authorization procedures described in clause 
7 (SWm description) and clause 9 are required to ensure the user's authentication and authorization when 
the UE is attached to an untrusted non-3GPP IP access. 

The same procedures as defined for STa reference points are used also in the SWa, but with reduced message content. 
As an exception, the service authorization information update procedure is not applicable for the SWa reference point. 

4.1.2 Procedure Descriptions 

4.1 .2.1 SWa Authentication and Authorization procedure 

4.1.2.1.1 General 

This procedure follows the STa Authentication and Authorization procedure, with the following differences: 

Information elements that would reflect information about the user's service request and about the access 
network are not included or are optional in the authentication and authorization request. 

The information elements that describe the user's subscription profile are not downloaded to the non-3GPP 
access network. 

Table 4.1.2.1/1 : SWa Authentication and Authorization Request 



Information element 
name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


Tills Information element shall contain the identity of the user. The 
identity shall be represented in NAI form as specified in the IETF 
RFC 4282 [15] and shall be formatted as defined in clause 19 of 
3GPPTS 23.003 [14]. 


EAR payload 


EAR-payload 


M 


This IE shall contain the Encapsulated EAR payload used for the 
UE - 3GRR AAA Server mutual authentication 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


This IE shall define whether the user is to be authenticated only, 
authorized only or both. AUTHORIZE_AUTHENTICATE shall be 
used in this case. 


UE Layer-2 address 


Calling-Station-ID 


M 


This IE shall carry the Layer-2 address of the UE. 


Access Type 


RAT-Type 





If present, this IE shall contain the untrusted non-3GPP access 
network technology type that is serving the UE. 


Access Networl< 
Identity 


ANID 





If present, this IE shall contain the access network identifier used 
for key derivation at the HSS. (See 3GPP TS 24.302 [26] for all 
possible values) 

It shall be included if the non-3GPP access network selects the 
EAR-AKA' authentication method. 


Supported Features 
(See 3GRR TS 29.229 
[24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter 
session. 
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Table 4.1.2.1/2: SWa Authentication and Authorization Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in IETF 
RFC 4282 [15] and shall be formatted as defined in clause 19 of 
3GPPTS 23.003 [14]. 


EAP payload 


EAP payload 


M 


This IE shall contain the Encapsulated EAP payload used for UE- 
3GPP AAA Server mutual authentication. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE AUTHENTICATE. See 
IETF RFC 4072 [5]. 


Result code 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. Result codes are 
as in Diameter Base Protocol (IETF RFC 3588 [7]). Experimental- 
Result AVP shall be used for SWa errors. This is a grouped AVP 
which shall contain the 3GPP Vendor ID in the Vendor-Id AVP, 
and the error code in the Experimental-Result-Code AVP. 


Session Alive Time 


Session-Timeout 





This AVP may be present if the Result-Code AVP is set to 
DIAIVIETER _SUCCESS. If present, it shall contain the maximum 
number of seconds the user session is allowed to remain active. 


Accounting Interim 
Interval 


Accounting 
Interim-Interval 





If present, this IE shall contain the Charging duration 


Pairwise Master Key 


EAP-Master- 
Session-Key 


c 


This IE shall be present if the Result-Code AVP is set to 
DIAMETER SUCCESS. 


3GPP AAA Server 
Name 


Redirect-Host 


c 


This information element shall be present if the Result-Code 
value is set to DIAMETER_REDIRECT_INDICATION. When the 
user has previously been authenticated by another 3GPP AAA 
Server, it shall contain the Diameter identity of the 3GPP AAA 
Server currently serving the user. The node receiving this IE shall 
behave as defined in the Diameter Base Protocol (IETF RFC 
3588 [7]). The command shall contain zero or one occurrence of 
this information element. 


Trust Relationship 
Indicator 


AN-Trusted 


M 


This AVP shall contain the 3GPP AAA Server's decision on 
handling the non-3GPP access network, i.e. trusted or untrusted. 
For the SWa case, the value 'UNTRUSTED' shall be used. 


Supported Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of 
features supported by the origin host for the lifetime of the 
Diameter session. 



4.1.2.1.2 



3GPP AAA Server Detailed Behaviour 



The detailed behaviour of the 3GPP AAA Server follows the behaviour defined for the STa Authentication and 
Authorization procedure (refer to clause 5.1.2.1.2), with the following deviations: 

The 3GPP AAA Server shall handle the non-3GPP access network as untrusted. 

The 3GPP AAA Server marks the trust relationship as "untrusted" with the User Identity. 

The authentication method shall be selected based on the presence of the Access Network Identity: if this 
information element is present, EAP-AKA' method is used; otherwise, EAP-AKA method is used 

4.1 .2.2 SWa HSS/AAA Initiated Detach 

This procedure equals with the STa HSS/AAA Initiated Detach procedure, refer to clause 5.1.2.2. 

4.1 .2.3 SWa Non-3GPP Access Network Initiated Detach 

This procedure equals with the STa Non-3GPP Access Network Initiated Detach procedure, refer to clause 5.1.2.4. 
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4.1.2.4 



SWa Re-Authentication and Re-Authorization Procedure 



4.1.2.4.1 



General 



This procedure is optional and it may be invoked by the 3GPP AAA Server, if the operator policies require that the re- 
authentication of the user for the SWa is to be renewed and the untrusted non-3GPP access network supports the re- 
authentication. 

This procedure shall be performed in two steps: 

The 3GPP AAA server shall issue an unsolicited re-auth request towards the untrusted non-3GPP access, 
indicating that both re-authentication and re-authorization of the user is needed. Upon receipt of such a 
request, the untrusted non-3GPP access shall respond to the request and shall indicate the disposition of the 
request. This procedure is mapped to the Diameter command codes Re-Auth-Request and Re- Auth- Answer 
specified in IETF RFC 3588 [7]. Information element contents for these messages shall be as shown in tables 
4.1.2.4.1/1 and 4.1.2.4.1/2. 

Upon receiving the re-auth request, the untrusted non-3GPP access shall immediately invoke the SWa 
authentication and authorization procedure requesting the identity of the user via EAP and using DER/DEA 
commands, with the same session-ID but the content adapted to the needs of a re-authentication. Information 
element contents for these messages shall be as shown in tables 4.1.2.4.1/3 and 4.1.2.4.1/4. 

If the re-authentication of the user is not successful, the untrusted non-3GPP access shall detach the user. 
Table 4.1.2.4.1/1: SWa Re-auth request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15], and 
shall be formatted as defined in clause 19 of 3GPP TS 23.003 [14]. 


Re-Auth 
Request Type 


Re-Auth- 
Request-Type 


M 


This information element shall define whether the user is to be authorized 
only or authenticated and authorized. AUTHORIZE_AUTHENTICATE shall 
be used in this case. 


Routing 
Information 


Destination- 
Host 


M 


This information element shall be obtained from the Origin-Host AVP, which 
was included in a previous command received from the untrusted non-3GPP 
access. 



Table 4.1.2.4.1/2: SWa Re-auth response 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in clause 19 of 3GPP TS 23.003 [14]. 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for SWa errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id AVP 

and the error code in the Experimental-Result-Code AVP. 
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Table 4.1.2.4.1/3: SWa Authentication and Authorization Request 



Information element 
name 


IVIapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The 
identity shall be represented in NAI form as specified in lb Ih RFC 
4282 [15] and shall be formatted as defined in clause 19 of 3GPP 
TS 23.003 [14]. 


EAR payload 


EAP-payload 


M 


This IE shall contain the Encapsulated EAR payload used for the 
UE - 3GPP AAA Server mutual authentication. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


This IE shall define whether the user is to be authorized only or 
authenticated and authorized. AUTHORIZE_AUTHENTICATE shall 
be used in this case. 



Table 4.1.2.4.1/4: SWa Authentication and Authorization Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in IETF 
RFC 4282 [15] and shall be formatted as defined in clause 19 of 
3GPPTS 23.003 [14]. 


EAR payload 


EAP payload 


M 


This IE shall contain the Encapsulated EAP payload used for UE- 
3GPP AAA Server mutual authentication. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE AUTHENTICATE. See 
IETF RFC 4072 [5]. 


Result code 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. Result codes are 
defined in the Diameter Base Protocol (IETF RFC 3588 [7]). The 
Experimental-Result AVP shall be used for SWa errors. This is a 
grouped AVP which shall contain the 3GPP Vendor ID in the 
Vendor-Id AVP, and the error code in the Experimental-Result- 
Code AVP. 


Session Alive Time 


Session-Timeout 





If present, this IE shall contain the maximum number of seconds 
the user session should remain active. 


Accounting Interim 
Interval 


Accounting 
Interim-Interval 





If present, this IE shall contain the Charging duration. 


Pairwise IVIaster Key 


EAP-Master- 
Session-Key 


c 


This IE shall be sent if Result-Code AVP is set to 
DIAMETER SUCCESS. 



4.1 .2.4.2 3GPP AAA Server Detailed Behaviour 

The 3GPP AAA Server shall trigger this procedure according to the local policies configured by the operator. 

The 3GPP AAA Server shall use the same authentication method that was used during the full authentication executed 
at the UE's attach. If EAP-AKA' is used, the 3GPP AAA Server shall use the ANID parameter received during the 
authentication and authorization executed at the UE attach (refer to clause 4.1.2.1.1). 

4.2 Protocol Specification 
4.2.1 General 

The SWa reference point shall use the same Diameter application as the STa reference point. The first authentication 
command exchange (DER/DEA) is common between the SWa and STa reference points. During this initial exchange, 
the 3GPP AAA Server determines the HPLMN's trust relationship with the non-3GPP access network and 
communicates it to the non-3GPP access network and the UE as described in section 5.1.2.1.2. The contents of the 
subsequent commands are dependent on this trust relationship determination and are specific to the SWa or STa 
reference points. 
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4.2.2 Commands 

4.2.2.1 Commands for SWa authentication and authorization procedures 

4.2.2.1 .1 Diameter-EAP-Request (DER) Command 

The Diameter-EAP-Request (DER) command, indicated by the Command-Code field set to 268 and the "R" bit set in 
the Command Flags field, is sent from a trusted non-3GPP access network NAS to a 3GPP AAA Server. 

< Diameter-EAP-Request > ::= < Diameter Header: 268, REQ, PXY > 

< Session-Id > 
{ Auth-Application-Id } 
{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Request-Type } 
{ EAP-Payload } 
[ User-Name ] 
[ CalHng-Station-Id ] 
[ RAT-Type ] 

[ ANID ] 

*[ Supported-Features ] 

*[ AVP ] 



4.2.2.1 .2 Diameter-EAP-Answer (DEA) Command 

The Diameter-EAP-Answer (DEA) command, indicated by the Command-Code field set to 268 and the "R" bit cleared 
in the Command Flags field, is sent from a 3GPP AAA Server to a trusted non-3GPP access network NAS. 

< Diameter-EAP-Answer > ::= < Diameter Header: 268, PXY > 

< Session-Id > 
{ Auth-Application-Id } 
{ Result-Code } 
[ Experimental-Result ] 
{ Origin-Host } 
{ Origin-Realm } 
{ Auth-Request-Type } 
{ EAP-Payload } 
[ User-Name ] 
[ Session-Timeout ] 
[ Accounting-Interim-Interval ] 
[ EAP -Master-Session-Key ] 
*[ Redirect-Host ] 
[ AN-Trusted ] 
*[ Supported-Features ] 

*[ AVP ] 

4.2.2.2 Commands for SWa HSS/AAA Initiated Detach 

Refer to clause 5.2.2.2. 

4.2.2.3 Commands for Untrusted non-3GPP Access network Initiated Session 
Termination 

Refer to clause 5.2.2.4. 
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4.2.2.4 Commands for SWa Re-Authentication and Re-Authorization Procedures 

4.2.2.4.1 Re-Auth-Request (RAR) Command 

The Diameter Re-Auth-Request (RAR) command, indicated by the Command-Code field set to 258 and the "R" bit set 
in the Command Flags field, shall be sent from a 3GPP AAA server to an untrusted non-3GPP access network NAS. 
ABNF for the RAR command shall be as follows: 

< Re-Auth-Request > ::= < Diameter Header: 258, REQ, PXY, 16777250 > 

< Session-Id > 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Destination-Host } 

{ Auth-Application-Id } 

{ Re-Auth-Request-Type } 

[ User-Name ] 

*[ AVP ] 

4.2.2.4.2 Re-Auth-Answer (RAA) Command 

The Diameter Re-Auth-Answer (RAA) command, indicated by the Command-Code field set to 258 and the "R" bit 
cleared in the Command Flags field, shall be sent from an untrusted non-3GPP access network NAS to a 3GPP AAA 
server. ABNF for the RAA command shall be as follows: 

< Re-Auth-Answer > ::= < Diameter Header: 258, PXY, 16777250 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 

*[ AVP ] 

4.2.2.4.3 Diameter-EAP-Request (DER) Command 

Refer to clause 4.2.2. 1 . 1 . 

4.2.2.4.4 Diameter-EAP-Answer (DEA) Command 

Refer to clause 4.2.2. 1 .2 



5 STa Description 

5.1 Functionality 



5.1.1 General 

The STa reference point is defined between a non-3GPP access network and the 3GPP AAA Server or between a non- 
3GPP access network and the 3GPP AAA Proxy. The definition of the reference point and its functionality is given in 
3GPPTS 23.402 [3]. 

Whether a Non-3GPP access network is Trusted or Untrusted is not a characteristic of the access network; this decision 
shall be made during the access authentication and authorization procedure executed between the non-3GPP access 
network and the 3GPP AAA Server. This is implemented by the STa and SWa reference points sharing the same 
Diameter application and partly sharing the same authentication and authorization procedure. The STa and SWa 
reference points are clearly distinguished after the exchange of the first authentication and authorization messages, 
during which trusted/untrusted decision is made by the 3GPP AAA server and this decision is communicated to the 
non-3GPP access network. The other procedures are specific to the STa and SWa reference points. 
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The STa reference point shall be used to authenticate and authorize the UE. 

The STa reference point may also be used to transport PMIPv6, MIPv4 FA-CoA mode related mobility parameters in a 
case the UE attaches to the EPC using the S2a reference point. 

Additionally the STa reference point may also be used to transport DSMIPv6 related mobility parameters in case the 
UE attaches to the EPC using the S2c reference point. In particular, in this case the STa reference point may be used for 
conveying the Home Agent IP address or FQDN from the AAA server to the gateway of the trusted non-3GPP access 
for Home Agent discovery based on DHCPv6 (see TS 24.303 [13]). 

This reference point shall be also used to transport charging-related information and optionally information about IP 
Mobility Mode Selection. 

5.1.2 Procedures Description 

5.1 .2.1 STa Access Authentication and Authorization 

5.1.2.1.1 General 

These procedures are transported over Diameter, the Access (Re-)Authentication and Authorization between the trusted 
non-3GPP access network and the 3GPP AAA Proxy or Server. The STa interface and Diameter application shall be 
used for authenticating and authorizing the UE for both PMIPv6 and MIPv4 FA-CoA mode trusted non-3GPP accesses 
and non-3GPP accesses that are decided to be untrusted during the authentication and authorization procedure. 

When EAP-AKA' is used in the STa access authentication and PMIPv6 is used, the network element of the non-3GPP 
access network acting as a MAG shall have also the role of the NAS. During the STa access authentication the NAS 
shall serve as pass-through EAP authenticator. 

Diameter usage over the STa interface: 

When EAP is used, the trusted non-3GPP access authentication and authorization procedure shall be mapped to 
the Diameter-EAP-Request and Diameter-EAP-Answer command codes specified in IETF RFC 4072 [5]. 

For (re)authentication procedures, the messaging described below shall be reused. 

During the STa Access Authentication and Authorization procedure the non-3GPP access may provide information on 
its PMIPv6 capabilities to the 3GPP AAA Server. 

For a trusted non-3GPP access, the 3GPP AAA Server may perform IP mobility mode selection. The 3GPP AAA 
Server may provide to the trusted non-3GPP GW an indication if either PMIPv6 or local IP address assignment shall be 
used 

During the STa Access Authentication and Authorization procedure the trusted non-3GPP GW shall provide 
information on the Access Network Identity to the 3GPP AAA Server. 

During the STa Access Authentication and Authorization procedure the AAA Server may provide a Home Agent IPv6 
address (and optionally IPv4 address) or FQDN to the trusted non-3GPP GW. This is needed if the DHCPv6 option for 
Home Agent address discovery is chosen (see TS 24.303 [13] and IETF RFC 6611 [28]). If the Home Agent IPv6 
address or FQDN is not included in the final Authentication and Authorization Answer by the AAA server, the trusted 
non-3GPP GW shall not assign the Home Agent via DHCPv6. 

During the STa Access Authentication and Authorization procedure for MIPv4 FA-CoA mode using trusted non-3GPP 
access the 3GPP AAA Server may provide the mobility security parameters FA-RK and FA-RK-SPI to the trusted non- 
3GPP GW. 

The User-Name AVP may contain a decorated NAI (as defined in 3GPP TS 23.003 [14]) in a roaming case. In this case 
the 3GPP AAA Proxy shall process the decorated NAI and support routing of the Diameter request messages based on 
the decorated NAI as described in IETF RFC 5729 [37]. 

For UEs where the IMSI is not available, the Authentication and Authorization procedures shall not be used over the 
STa interface. For UEs receiving emergency services, where the IMSI is available, the Authentication and 
Authorization procedures shall be used, but if they fail, the procedures shall proceed as if they succeeded on the non- 
3GPP Access Gateway. 



£75/ 



3GPP TS 29.273 version 10.7.0 Release 10 



20 



ETSI TS 129 273 VI 0.7.0 (2012-10) 



For both PMIPv6 and MIPv4 FA-CoA mode trusted non-3GPP accesses, upon mobility between 3GPP and non-3GPP 
accesses, for the PDNs the UE is already connected, the PDN Gateway identity for each of the already allocated PDN 
Gateway(s) with the corresponding PDN information is provided to the trusted non-3GPP system. The PDN Gateway 
identity is a FQDN and/or IP address of the PDN GW. If a FQDN is provided, the trusted non-3GPP system shall derive 
it to IP address according to the selected mobility management protocol. 

Table 5.1.2.1/1 : STa Access Authentication and Authorization Request 



Information element 
name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in 
IETF RFC 4282 [15] and shall be formatted as defined in clause 
19of3GPPTS23.003[14]. 


EAR payload 


EAP-payload 


M 


This IE shall contain the Encapsulated EAP payload used for 
the UE - 3GPP AAA Server mutual authentication 


Authentication Request 
Type 


Auth-Request- 
Type 


M 


This IE shall define whether the user is to be authenticated only, 
authorized only or both. AUTHORIZE_AUTHENTICATE shall 
be used in this case. 


UE Layer-2 address 


Calling-Station-ID 


M 


This IE shall contain the Layer-2 address of the UE. 


Supported 3GPP QoS 
profile 


QoS-Capability 





If the non-3GPP access network supports QoS mechanisms, 
this information element may be included to contain the access 
network"s QoS capabilities as defined in IETF RFC 5/// [9]. 


IVIobility Capabilities 


IVIIP6-Feature- 
Vector 


C 


This information element shall contain the mobility capabilities 
of the non-3GPP access network. This information shall be 
utilized if dynamic mobility mode selection is executed. The 
PIVIIP6 SUPPORTED flag shall be set if the non-3GPP access 
supports PMIPv6 (see IETF RFC 5779 [2]). The flag 
MIP6_INTEGRATED shall be set if DHCPv6 based Home 
Agent address discovery is supported as defined in lb 1 1- RFC 
5447 [6]. The MIP4_SUPPQRTED flag shall be set if the non- 
3GPP access supports MIPv4 FA-CoA mode. 


Access Type 


RAT-Type 


M 


This IE shall contain the non-3GPP access network technology 
type that is serving the UE. 


Access Network Identity 


ANID 


M 


This IE shall contain the access network identifier used for key 
derivation at the HSS. (See 3GPP TS 24.302 [26] for all 
possible values) 


Visited Network Identifier 


Visited-Network- 
Identifier 





If present, this IE shall contain the Identifier that allows the 
home network to identify the Visited Network. This AVP may be 
inserted by the non-3GPP access network depending on its 
local policy and only when it is not connected to the UE's Home 
Network. 


APN Id 


Service-Selection 





If present, this information element shall contain the Network 
Identifier part of the APN the user wants to connect to (if 
available). 


Terminal Information 


Terminal- 
Information 





If present, this information element shall contain information 
about the user"s mobile equipment. The type of identity carried 
depends on the access technology type. For an HRPD access 
network, the 3GPP2-MEID AVP shall be included in this 
grouped AVP. 


Supported Features 
(See 3GPP TS 29.229 
[24]) 


Supported- 
Features 





If present, this information element shall contain the list of 
features supported by the origin host for the lifetime of the 
Diameter session. 
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Table 5.1.2.1/2: Trusted non-3GPP Access Authentication and Authorization Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in IETF 
RFC 4282 [15] and shall be formatted as defined in clause 19 of 
3GPPTS 23.003 [14]. 


EAP payload 


EAP payload 


M 


This IE shall contain the Encapsulated EAP payload used for UE- 
3GPP AAA Server mutual authentication. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE AUTHENTICATE. See 
IETF RFC 4072 [5]. 


Result code 


Result-Code / 
Experimental 
Result Code 


M 


This IE shall contain the result of the operation. Result codes are 
as in Diameter Base Protocol (IETF RFC 3588 [7]). Experimental- 
Result AVP shall be used for STa errors. This is a grouped AVP 
which shall contain the 3GPP Vendor ID in the Vendor-Id AVP, 
and the error code in the Experimental-Result-Code AVP. 


Session Alive Time 


Session-Timeout 





This AVP may be present if the Result-Code AVP is set to 
DIAIVIETER _SUCCESS; if present, it contains the maximum 
number of seconds the session is allowed to remain active. 


Accounting Interim 
Interval 


Accounting 
Interim-Interval 





If present, this IE shall contain the Charging duration. 


Pairwise IVIaster Key 


EAP-Master- 
Session-Key 


c 


This IE shall be present if Result-Code AVP is set to 
DIAMETER SUCCESS. 


Default APN 


Context-Identifier 


c 


This AVP shall indicate the default APN for the user. It shall only 
be included if PIVIIPv6 is used, the non-3GPP access network 
was decided to be trusted and the Result-Code AVP is set to 
DIAMETER SUCCESS. 


APN-OI replacement 


APN-OI- 
Replacement 


c 


This AVP shall indicate the domain name to replace the APN-OI 
in the non-roaming case or in the home routed roaming case 
when constructing the PDN GW FODN upon which a DNS 
resolution needs to be performed. See 3GPP TS 23.003 [3]. It 
shall only be included if PMIPv6 is used and the Result-Code 
AVP is set to DIAMETER SUCCESS. 


APN and PGW Data 


APN- 
Configuration 


c 


This information element shall only be sent if the Result-Code 

AVP is set to DIAMETER_SUCCESS. 

When PMIPv6 is used this AVP shall contain the default APN, the 

list of authorized APNs, user profile information and PDN GW 

information. 

When local IP address assignment is used, this AVP shall only be 

present if DHCP based Home Agent discovery is used and 

contain the Home Agent Information for discovery purposes. 

The AGW knows if PMIPv6 is used or if a local IP address is 

assigned based on the flags in the MIP6-Feature-Vector. 

APN-Configuration is a grouped AVP, defined in 3GPP TS 

29.272 [29]. When PMIPv6 is used, the following information 

elements per APN may be included: 

-APN 

- Authorized 3GPP OoS profile 

- Statically allocated User IP Address (IPv4 and/or IPv6) 

- Allowed PDN types 

- PDN GW identity 

- PDN GW allocation type 

- VPLMN Dynamic Address Allowed 
-APN-AMBR 

- SIPTO permission 

When DSMIPvB with HA discovery based on DHCPv6 is used, 
the following information elements per Home Agent may be 
included: 

- HA-APN 

- Authorized 3GPP OoS profile 

- PDN GW identity 

When MIPv4 FACoA is used, the following information elements 

per APN may be included: 

-APN 

- Allowed PDN types 
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Serving GW Address 


MIP6-Agent-lnfo 





This AVP shall be used only in chained S2a-S8 cases and it shall 
be sent only if the Result-Code AVP is set to 
DIAMETER SUCCESS. 


Mobility Capabilities 


MIP6-Feature- 
Vector 


C 


This information element shall only be sent if the Result-Code 
AVP is set to DIAMETER_SUCCESS. 

It shall contain a AAA/HSS authorized set of mobility capabilities 
to the trusted non-3GPP access network, if dynamic mobility 
mode selection is done. 

ThePMIP6 SUPPORTED or ASSIGN LOCAL IP or 
MIP4_SUPP0RTED flag shall be set by the 3GPP AAA Server to 
mandate which mobility protocol is used. The 
MIP6_INTEGRATED flag shall be set if a Home Agent address is 
provided for DHCPv6 based Home Agent address discovery. In 
the latter case HA information for DHCPv6 discovery is provided 
via the APN-Configuration AVP. 


Permanent User 
Identity 


Mobile-Node- 
Identifier 


C 


This information element shall only be sent if PMIPv6 or MIPv4 is 
used and the Result-Code AVP is set to DIAMETER_SUCCESS 
and shall contain an AAA/HSS assigned identity (i.e. an IMSI in 
EPC root NAI format as defined in 3GPP TS 23.003 [14]) to be 
used by the MAG in subsequent PBUs as the MN-ID or MIPv4 
RROs as the MN-NAI identifying the user in the EPS network. 


3GPP AAA Server 
Name 


Redirect-Host 


C 


This information element shall be sent if the Result-Code value is 
set to DIAMETER_REDIRECT_INDICATION. When the user has 
previously been authenticated by another 3GPP AAA Server, it 
shall contain the Diameter identity of the 3GPP AAA Server 
currently serving the user. The node receiving this IE shall 
behave as defined in the Diameter Base Protocol (IETF RFC 
3588 [7]). The command shall contain zero or more occurrences 
of this information element. When choosing a destination for the 
redirected message from multiple Redirect-Host AVPs, the 
receiver shall send the Diameter request to the first 3GPP AAA 
Server in the ordered list received in the Diameter response. If no 
successful response to the Diameter request is received, the 
receiver shall send the Diameter request to the next 3GPP AAA 
Server in the ordered list. This procedure shall be repeated until a 
successful response is received from a 3GPP AAA Server. 


UE Charging Data 


3GPP-Charging- 
Characteristics 





If present this information element shall contain the type of 
charging method to be applied to the user (see 3GPP TS 29.061 
[31]). 


UEAIVIBR 


AMBR 


C 


This Information Element shall contain the UE AMBR of the user. 
It shall be present only if the non-3GPP access network was 
decided to be trusted, the Result-Code AVP is set to 
DIAMETER SUCCESS and ANID is "HRPD". 


Trust Relationship 
Indicator 


AN-Trusted 


C 


This AVP shall be included only in the first authentication and 
authorization response. If present, it shall contain the 3GPP AAA 
Server's decision on handling the non-3GPP access network 
trusted or untrusted. 


Supported Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of 
features supported by the origin host for the lifetime of the 
Diameter session. 


FA-RK 


MIP-FA-RK 


C 


This AVP shall be present if MIPv4 FACoA mode is used, the 
MN-FA authentication extension is supported and the Result- 
Code AVP is set to DIAMETER SUCCESS. 


FA-RK-SPI 


MIP-FA-RK-SPI 


C 


This AVP shall be present if MIP-FA-RK is present 



5.1.2.1.2 



3GPP AAA Server Detailed Behaviour 



On receipt of the first DER message, the 3GPP AAA Server shall check the validity of the ANID AVP and whether the 
non-3GPP GW is entitled to use the included value. The correct syntax of the ANID is checked as follows: 

In a non-roaming case, i.e. when the 3GPP AAA Server receives the request directly and not via the 3GPP AAA 
Proxy, checking ANID is mandatory; 
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In a roaming case when the request is received via an 3GPP AAA proxy, checking ANID is optional. The 3GPP 
AAA Server may decide to check ANID based on local configuration, e.g. depending on the received visited 
network identifier. 

If the checking result shows that the included ANID value is not valid (not defined by 3GPP) or that the 
requesting entity is not entitled to use the received ANID value, the Result-Code shall be set to 
DIAMETER_UNABLE_TO_COMPLY. 

The 3GPP AAA Server shall check if user data exists in the 3GPP AAA Server (containing valid authentication 
information for the current access network identity). If not, the 3GPP AAA Server shall use the procedures defined in 
SWx interface to obtain access authentication and authorization data. 

If SWx authentication response indicates that: 

The user does not exist, then the 3GPP AAA Server shall respond the non-3GPP GW with Experimental-Result- 
Code DI AMETER_ERROR_U S ER_UNKNOWN . 

The user does not have non-3GPP access subscription, then 3GPP AAA Server shall respond the non-3GPP GW 
with Experimental-Result-Code DIAMETER_ERR0R_USER_N0_N0N_3GPP_SUBSCRIPTI0N. 

The user is not allowed to roam in the visited network, then 3GPP AAA Server shall respond the non-3GPP GW 
with Experimental-Result-Code DIAMETER_ERROR_ROAMING_NOT_ALLOWED. 

The user is currently being served by a different 3GPP AAA Server, then the 3GPP AAA Server shall respond to 
the non-3GPP GW with the Result-Code set to DIAMETER_REDIRECT_INDICATION and the Redirect-Host 
set to the Diameter identity of the 3GPP AAA Server currently serving the user (as indicated in the 3GPP-AAA- 
Server-Name AVP returned in the SWx authentication response from the HSS). 

- Any other error occurred, then the error code DIAMETER_UNABLE_TO_COMPLY shall be returned to the 
Non-3GPP GW. 

When SWx authentication response includes the requested authentication information, the 3GPP AAA Server shall 
proceed with the authentication and authorization procedure. The 3GPP AAA Server shall use the procedures defined in 
SWx interface to obtain the user's subscription profile from HSS. 

Before sending out the authentication challenge, the 3GPP AAA Server shall decide, whether the access network is 
handled as Trusted or Untrusted. The 3GPP AAA Server shall make the decision based on the Access Network 
Identifier and Visited Network Identity information elements, according to its local policies. The local policies of the 
3GPP AAA Server shall be based on the security criteria described in 3GPP TS 33.402 [19]. 

NOTE: The network operator can configure this e.g. according to the roaming agreements with the non-3GPP AN 
operator or with VPLMN operator. 

In a roaming case, if the 3GPP AAA Server has received the trust relationship indicator from the VPLMN (AN-Trusted 
AVP), the 3GPP AAA Server may use this information as input parameter to the trusted/untrusted evaluation. 

The VPLMN trust relationship indicator may be utilized only if 

The local breakout may be used for some of the APN connections of the user and 

The appropriate trust relationship exists between the HPLMN and VPLMN operators. 

The 3GPP AAA Server shall identify the possibility for local breakout based on the 

VPLMN-Dynamic-Address-Allowed AVPs in the user's subscription profile; if the PDN GW may be allocated in the 
VPLMN for any of the subscribed APNs, local breakout is considered to be possible. 

If the 3GPP AAA Server has decided to take the received trust relationship indicator into account, it shall combine its 
own decision (taken as described above) with the received trust relationship indicator in a way that the final decision 
shall be "trusted" only if both initial decisions were "trusted"; otherwise, the final decision shall be "untrusted". 

Based on the trusted/untrusted decision, the 3GPP AAA Server may send a trust relationship indication to the UE, as 
described in 3GPP TS 24.302 [26]. 

The 3GPP AAA Server shall indicate the trust relationship assessment of the non-3GPP access network to the UE in the 
AT_TRUST_IND attribute as defined in 3GPP TS 24.302 [26]. The 3GPP AAA Server shall also indicate the trust 
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relationship assessment to the non-3GPP access network using AN-Trusted AVP in the DEA (EAP-Request/AKA- 
Challenge) command. 

If the decision is "Trusted", the STa authentication and authorization procedure is executed as described here, in clause 
5.1.2.1 and it subclauses. Otherwise, the SWa authentication and authorization procedure is executed as described in 
clause 4.1.2.1. 

The 3GPP AAA Server marks the trust relationship as "trusted" with the User Identity. If the 3GPP AAA Server detects 
that an S6b session already exists for the corresponding UE and the S6b session was established as a result of an 
authentication request for DSMIPv6, the 3GPP AAA Server shall send the trust relationship to the PDN GW as 
specified in clause 9.1.2.5. 

The 3GPP AAA Server shall run EAP-AKA' authentication as specified in 3GPP TS 33.402 [19]. Exceptions shall be 
treated as error situations and the result code shall be set to DIAMETER_UNABLE_TO_COMPLY. 

Once authentication is successfully completed, the 3GPP AAA Server shall perform the following authorization 
checking (if there is an error in any of the steps, the 3GPP AAA Server shall stop processing and return the 
corresponding error): 

1) Check if the user is barred to use the non 3GPP Access. If it is so, then the Result-Code shall be set to 
DIAMETER_AUTHORIZATION_REJECTED 

2) Check if the user is barred to use the subscribed APNs. If it is so, then the Result-Code shall be set to 
DIAMETER_AUTHORIZATION_REJECTED 

3) Check RAT-Type AVP. If 

the access type indicates any value not described in 3GPP TS 29.212 [23] or 
the received RAT-Type is listed in the user's disallowed RAT-Types, 
this shall be treated as error and the Result-Code DIAMETER_UNABLE_TO_COMPLY shall be returned. 
The following steps are only executed if the non-3GPP access network was decided to be Trusted. 

4) Check if the user has a subscription for the requested APN. If not, Experimental-Result-Code shall be set to 
DIAMETER_ERROR_USER_NO_APN_SUBSCRIPTION 

5) If present, check the flags of the received MIP6-Feature-Vector AVP: 

- If the MIP6-INTEGRATED flag is set and the 3GPP AAA Server has authorized DHCP Home Agent 
assignment, the 3GPP AAA Server shall include the Home Agent addresses in the APN-Configuration AVP 
in the response and the MIP6-Feature-Vector AVP with the MIP6 -INTEGRATED flag set. If the HA 
assignment via DHCPv6 is not used, the MIP6-Feature- Vector AVP with the MIP6-INTEGRATED flag not 
set shall be sent. 

- The PMIP6_SUPPORTED flag indicates to the 3GPP AAA Server whether the trusted non-3GPP GW 
supports PMIPv6 or not. As specified in 3GPP TS 23.402 [3], based on the information it has regarding the 
UE (see 3GPP TS 24.302 [26]), local/home network capabilities and local/home network policies, the 3GPP 
AAA Server may perform mobility mode selection. If the 3GPP AAA Server decides that PMIPv6 should be 
used, the PMIP6_SUPPORTED flag shall be set in the response to indicate the PMIPv6 support of the UE to 
the trusted non 3GPP GW. If the 3GPP AAA Server decides that a local IP address should be assigned, the 
ASSIGN_LOCAL_IP flag shall be set in the response to indicate to the trusted non 3GPP GW that a local IP 
address should be assigned. The 3GPP AAA Server shall not set the PMIP6_SUPP0RTED and 
ASSIGN_LOCAL_IP flags both at the same time in the response. 

- The MIP4_SUPPORTED flag indicates to the 3GPP AAA Server whether the trusted non-3GPP GW 
supports MIPv4 FA-CoA mode or not. As specified in 3GPP TS 23.402 [3], based on the information it has 
regarding the UE (see 3GPP TS 24.302 [26]), local/home network capabilities and local/home network 
policies, the 3GPP AAA Server may perform mobility mode selection. If the 3GPP AAA Server decides that 
MIPv4 FA-CoA mode should be used, the MIP4_SUPPORTED flag shall be set in the response. 

NOTE: When selecting DSMIPv6 the AAA server assumes that the trusted non 3GPP GW has the capability to 
assign a local IP address to the UE. 



£75/ 



3GPP TS 29.273 version 1 0.7.0 Release 1 25 ETSI TS 1 29 273 V1 0.7.0 (201 2-1 0) 

Once the Authentication and Authorization procedure successfully finishes, the 3GPP AAA Server shall download, 
together with authentication data, the list of authorized APN"s and the authorized mobility protocols in the 
authentication and authorization response from the HSS (see SWx procedure in Section 8.1.2.1). 

Once the Authentication and Authorization procedures successfully finish and if MIPv4 FACo A mode is used the 3GPP 
AAA Server shall calculate the MIPv4 FACoA mobility security parameters as defined in 3GPP TS 33.402 [19] and 
include these in the authentication and authorization response to the trusted non 3GPP GW. 

Exceptions to the cases specified here shall be treated by 3GPP AAA Server as error situations, the Result-Code shall 
be set to DIAMETER_UNABLE_TO_COMPLY and, therefore, no authorization information shall be returned. 

5.1 .2.1 .3 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy is required to handle roaming cases in which the non-3GPP access network is connected to a 
VPLMN. The 3GPP AAA Proxy shall act as a stateful proxy, with the following additions. 

On receipt of an authentication and authorization request, the 3GPP AAA Proxy 

shall check the Visited-Network-Identifier AVP, 

If the AVP is not present, the 3GPP AAA Proxy shall insert it before forwarding the request to the 3GPP 
AAA Server. 

If the AVP is present, the 3GPP AAA Proxy may check and overwrite its value, depending on its local 
policy, e.g. the trusted non-3GPP access network being operated by the VPLMN operator or by a third party. 

shall check the ANID AVP. If the result of the checking shows that the included ANID value is not valid (not 
defined by 3GPP) or that the requesting entity is not entitled to use the received value, the Result-Code shall be 
set to DIAMETER_UNABLE_TO_COMPLY and the authentication response shall be sent to the trusted non- 
3GPP GW. 

may take a decision about the trustworthiness of the non-3GPP access from VPLMN's point of view. If such 
decision is taken, it shall be based on the Access Network Identifier and optionally, on further information about 
the non-3GPP access network, according to the 3GPP AAA Proxy's local policies. These local policies shall 
reflect the security criteria described in 3GPP TS 33.402 [19], with the assumption that the PDN GW will be 
allocated in the VPLMN. 

NOTE: For example, if hop-by-hop security relationship exists between the NAS and the 3GPP AAA Proxy, the 
3GPP AAA Proxy may use the Origin-Host AVP to uniquely identify the NAS and the access network. 

The decision about the trustworthiness of the non-3GPP access network is encoded to the VPLMN trust 
relationship indicator that is inserted to the authentication and authorization request. 

On receipt of the first authentication and authorization request, the 3GPP AAA Proxy shall check locally configured 
information whether users from the HPLMN are allowed to activate a PDN connection from the non-3GPP access 
network via this (V)PLMN. If not, the Experimental-Result-Code shall be set to 

DIAMETER_ERROR_ROAMING_NOT_ALLOWED and the authentication and authorization response shall be sent 
to the non-3GPP access network. 

On receipt of the authentication and authorization answer that completes a successful authentication, the 3GPP AAA 
Proxy 

may check locally configured information about using the chained S8-S2a option towards the given HPLMN. If 
chaining is required, the 3GPP AAA Proxy shall select a Serving GW from its network configuration database 
and shall include the Serving GW address in the answer. 

shall check locally configured information for the maximum allowed static QoS parameters valid for visitors 
from the given HPLMN and modify the QoS parameters received from the 3GPP AAA Server, to enforce the 
policy limitations. 

shall record the state of the connection (i.e. Authentication and Authorization Successful). 
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5.1 .2.1 .4 Trusted non-3GPP GW Detailed Behaviour 

The Trusted non-3GPP GW shall initiate the Trusted non-3GPP Access Authentication and Authorization procedure 
when the user attaches to the access network. During the authentication, it shall act as a pass-through EAP 
authenticator. 

If PMIPv6 or MIPv4 FACoA is used, at successful completion of the procedure, the trusted non-3GPP GW shall store 
the non-3GPP user data received from the 3GPP AAA Server. The trusted non-3GPP GW shall utilize these data 

To authorize the APNs received in PDN connection creation request from the UE; 

To authorize the requested home address types: IPv4 home address and/or IPv6 home network prefix. 

NOTE: The user will be allowed to create PDN connections only to the subscribed APNs and use the address 
types that are allowed by the subscribed PDN types. 

If DSMIPv6 is used and if the trusted non-3GPP GW has received the PGW identity in form of the FQDN from the 
3GPP AAA Server, then the trusted non-3GPP GW may obtain the IP address of the Home Agent functionality of that 
PGW as described in 3GPP TS 29.303 [34]. 

If MIPv4 FACo A is used and if the non-3GPP GW has received FA-RK-SPI and FA-RK from the 3GPP AAA Server , 
the trusted non-3GPP GW will use FA-RK key and FA-RK-SPI to further derive MN-FA shared key and MN-FA-SPI, 
as defined in 3GPP TS 33.402 [19]. These are used to process the MN-FA Authentication Extension in the RRQ/RRP 
messages if the extension is present. 

If the subscriber is not roaming and the SIPTO-Permission information for an APN is present, the HSGW shall allow 
SIPTO for that APN only if the SIPTO-Permission information indicates so. If the subscriber is not roaming and the 
SIPTO-Permission information for an APN is not present, the HSGW may allow SIPTO for that APN. If the subscriber 
is roaming and the SIPTO-Permission information for an APN is present, the HSGW shall allow SIPTO for that APN 
only if the SIPTO-Permission information indicates so and the VPLMN Dynamic Address is allowed and the HSGW 
selects a PDN GW in the VPLMN. For the requested APN allowed for SIPTO, the trusted non-3GPP access network 
may use the 3GPP DNS mechanism to select a PGW which is close to the HSGW. Detailed behaviour is specified in 
3GPP2 X.S0057 [25], 3GPP TS 23.402 [3] and 3GPP TS 29.303 [34]. 

For emergency attach procedures, for handover or initial attach to a Trusted non-3GPP GW access, if the trusted non- 
3GPP GW access supports Emergency services for users in limited service state, then the trusted non-3GPP GW shall 
skip the authentication procedure (for users without an IMSI or with an IMSI marked as unauthenticated); or if the 
trusted non-3GPP GW access accepts that the authentication may fail (for users with an IMSI), it shall continue with the 
procedure. For these cases, the Trusted non-3GPP GW shall release any non-emergency PDN connections. 

5.1 .2.2 HSS/AAA Initiated Detach on STa 

5.1.2.2.1 General 

This procedure is used to communicate between the 3GPP AAA/HSS and the the trusted non-3GPP access network to 
indicate that the 3GPP AAA/HSS has decided that a specific UE shall be detached from accessing the EPC. The 
procedure is based on Diameter session abort messages. 

Diameter usage over the STa interface: 

This procedure is mapped to the Diameter command codes Diameter-Abort-Session-Request (ASR), 
Diameter-Abort-Session-Answer (ASA), Diameter-Session-Termination-Request (STR) and Diameter- 
Session-Termination- Answer (STA) specified in RFC 3588 [7]. Information element contents for these 
messages are shown in tables 5.1.2.2.1/1 and 5.1.2.2.1/2. 

- The STa application id value of 16777250 shall be used as the Application Id in ASR/ASA/STR/STA 
commands. 
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Table 5.1.2.2.1/1 : Information Elements passed in ASR message 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the permanent identity 
of the user (i.e. an IMSI in EPC root NAI format as defined in 
3GPPTS 23.003 [14]). 


Auth-Session- 
State 


Auth-Session- 
State 





If present this information element shall indicate to the Non- 
3GPP GW whether the 3GPP AAA Server requires an STR 
message. 



Table 5.1.2.2.1/2: Information Elements passed in ASA message 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result-Code 


Result-Code 


M 


This IE shall indicate the result of the operation. 



Table 5.1.2.2.1/3: Information Elements passed in STR message 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Termination- 
Cause 


Termination- 
Cause 


M 


This information element shall contain the reason why the 
session was terminated. It shall be set to 
"DIAMETER_ADMINISTRATIVE" to indicate that the 
session was terminated in response to an ASR message. 



Table 5.1.2.2.1/4: Information Elements passed in STA message 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result-Code 


Result-Code 


M 


This IE shall contain the result of the operation. 



5.1.2.2.2 



3GPP AAA Server Detailed Behaviour 



The 3GPP AAA Server shall make use of this procedure to instruct the Non-3GPP access network to detach a specific 
user from the access network. 

In the DSMIPv6 case, the 3GPP AAA Server shall initiate first the detach procedure over the S6b reference point 
towards the PDN GW. When this process has finalized, the 3GPP AAA Server can initiate the detach procedure of the 
UE from the non-3GPP access network. 

The 3GPP AAA Server shall include the Auth-Session-State AVP in the ASR command with a value of 
NO_STATE_MAINTAINED if it does not require a STR from the Non-3GPP GW. If it does require a STR from the 
Non-3GPP GW, the 3GPP AAA Server shall either omit the Auth-Session-State AVP from the ASR command or 
include the Auth-Session-State AVP in the ASR command with a value of STATE_MAINTAINED. 

On receipt of the ASR command, the Non-3GPP access network shall check if the user is known in the Non-3GPP 
access network. If not, Experimental-Result-Code shall be set to DIAMETER_ERROR_USER_UNKNOWN. 

If the user is known, the Non-3GPP access network shall perform the disconnection of all the PDN connections active 
for this user and remove any stored user information, except for emergency PDN connections which shall remain active, 
if the trusted Non-3GPP access supports Emergency services for users in limited service state. 

The Non-3GPP access network shall set the Result-Code to DIAMETER_SUCCESS and send back the ASA command 
to the 3GPP AAA Server, which shall update the status of the subscriber on the detached access network. 

If required by the 3GPP AAA Server, the Non-3GPP GW shall send an STR with the Termination-Cause set to 
DIAMETER_ADMINISTRATIVE. The 3GPP AAA Server shall set the Result-Code to DIAMETER_SUCCESS and 
return the STA command to the Non-3GPP GW. 
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5.1 .2.2.3 3GPP AAA Proxy Detailed Behaviour 

When the 3GPP AAA Proxy receives the ASR from the 3GPP AAA Server it shall route the request to the non-3GPP 
access network. 

If the 3GPP AAA Proxy requires an STR but the 3GPP AAA Server does not, the 3GPP AAA Proxy may override the 
value of the Auth-Session-State AVP in the ASR and set it to STATE_MAINTAINED. In this case, the 3GPP AAA 
Proxy shall not forward the STR received from the non-3GPP GW onto the 3GPP AAA Server and shall return an STA 
command to the non-3GPP GW with the Result-Code set to DIAMETER_SUCCESS. The 3GPP AAA Proxy shall not 
override the value of the Auth-Session-State AVP under any other circumstances. 

On receipt of the ASA message with Diameter Result Code set to DIAMETER_SUCCESS, the 3GPP AAA Proxy shall 
route the successful response to the 3GPP AAA Server and shall release the resources associated with the session. 

When the 3GPP AAA Proxy receives the STR from the Non-3GPP GW, it shall route the request to the 3GPP AAA 
Server. On receipt of the STA message, the 3GPP AAA Proxy shall route the response to the Non-3GPP GW. 

5.1 .2.3 STa Re-Authorization and Re-Authentication Procedures 

5.1.2.3.1 General 

The STa Re-Authorization procedure shall be used between the 3GPP AAA Server and the trusted non-3GPP access for 
enabling: 

The 3GPP AAA Server to modify the previously provided authorization parameters. This may happen due to a 
modification of the subscriber profile in the HSS (for example, removal of a specific APN associated with the 
subscriber, or change of the identity of a dynamically allocated PDN GW, see subclause 8.1.2.3). In this case. 

This procedure is performed in two steps: 

The 3GPP AAA server shall issue an STa Re-Auth request towards the trusted non-3GPP access. Upon 
receipt of such a request, the trusted non-3GPP access shall respond to the request and shall indicate the 
disposition of the request. This procedure is mapped to the Diameter command Re-Auth-Request and Re- 
Auth- Answer specified in IETF RFC 3588 [7]. Information element contents for these messages are shown in 
tables 5. 1.2.3. 1/1 and 5.1.2.3.1/2. 

Upon receiving the STa Re-Auth request, the non-3GPP access shall immediately invoke the STa access 
authorization procedure, based on the reuse of the Diameter command codes AA-Request and AA- Answer 
commands specified in IETF RFC 4005 [4]. Information element contents for these messages are shown in 
tables 5.1.2.3.1/3 and 5.1.2.3.1/4. 

The trusted non-3GPP access to retrieve the subscriber profile from the HSS. This procedure may be initiated at 
any time by the Trusted non-3GPP GW for check if there is any modification in the user authorization 
parameters previously provided by the 3GPP AAA Server. In this one-step procedure, the trusted non-3GPP 
access shall invoke the STa access authorization procedure, based on the reuse of the Diameter commands AA- 
Request and AA- Answer commands IETF RFC 4005 [4]. Information element contents for these messages are 
shown in tables 5.1.2.3.1/3 and 5.1.2.3.1/4. 



After receiving the authorization answer, the trusted non-3GPP GW will release the active PDN connections, for which 
the authorization has been revoked. If the authorization was rejected by the 3GPP AAA server (e.g. because the user's 
subscription for non-3GPP accesses has been terminated), the non-3GPP access network shall detach the user from the 
non-3GPP access network and release all resources. If an emergency PDN connection is active and the trusted non- 
3GPP access supports emergency services for users in limited service state, the non-3GPP access network shall keep the 
user attached in the non-3GPP access and the emergency PDN connection active. The non-emergency resources shall be 
released. 

The STa Re-Authentication procedure shall be used between the 3GPP AAA Server and the trusted non-3GPP access 
for re-authenticating the user. This procedure may be initiated at any time by the 3GPP AAA Server based on HPLMN 
operator policies configured in the 3GPP AAA server. This procedure is performed in two steps: 

The 3GPP AAA server issues an STa Re-Auth request towards the trusted non-3GPP access. Upon receipt of 
such a request, the trusted non-3GPP access shall respond to the request and indicate the disposition of the 
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request. This procedure is mapped to the Diameter command Re-Auth-Request and Re-Auth- Answer specified 
in IETF RFC 3588 [7]. Information element contents for these messages are shown in tables 5.1.2.3.1/1 and 
5.1.2.3.1/2. 

Upon receiving the STa Re-Auth request, the trusted non-3GPP access shall immediately invoke the STa Access 
Authentication and Authorization procedure, based on the Re-Auth Request Type provided by the 3GPP AAA 
server. This procedure is mapped to the Diameter command codes based on the reuse of the Diameter commands 
Diameter-EAP-Request and Diameter-EAP- Answer specified in IETF RFC 4072 [5]. Information element 
contents for these messages are shown in tables 5.1.2.3.1/5 and 5.1.2.3.1/6. 

If the re-authentication of the user is not successful, the trusted non-3GPP access will release all the active PDN 
connections of the user, except for emergency PDN connections which shall remain active if the trusted non-3GPP 
access supports Emergency services for users in limited service state. After a successful authentication and 
authorization procedure, the trusted 3GPP GW shall release the active PDN connections for which the authorization has 
been revoked. 

Table 5.1.2.3.1/1 : STa Re-Auth request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in clause 19 of 3GPP TS 23.003 [14]. 


Re-Auth 
Request Type 


Re-Auth- 
Request-Type 


M 


This IE shall define whether the user is to be authenticated only, authorized 

only or both. In this case, the following values shall be used: 

AUTHORIZE_AUTHENTICATE if the re-authentication of the user is 

requested; 

AUTHORIZEONLY If the update of the previously provided user 

authorization parameters is requested. 


Routing 
Information 


Destination- 
Host 


M 


This information element shall be obtained from the Origin-Host AVP, which 
was included in a previous command received from the trusted non-3GPP 
access. 



Table 5.1.2.3.1/2: STa Re-Auth response 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in clause 19 of 3GPP TS 23.003 [14]. 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for STa errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 
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Table 5.1.2.3.1/3: STa Authorization Request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in clause 19 of 3GPP TS 23.003 [14]. 


Request-Type 


Auth-Request- 
Type 


M 


This IE shall define whether the user is to be authenticated only, authorized 

only or both. In this case, it shall have the value: 

AUTHORIZE_ONLY 


IVIobility 
Capabilities 


MIP6-Feature- 
Vector 


C 


This information element shall contain the mobility capabilities of the non- 
3GPP access network. 

This AVP shall be included only if optimized idle mode mobility from E- 
UTRAN to HRPD access is executed. When included, the 
PMIP_SUPPORTED and the OPTIMIZED_IDLE_MODE_MOBILITY flags 
shall be set. 


Routing 
Information 


Destination- 
Host 


M 


The 3GPP AAA Server name shall be obtained from the Origin-Host AVP of 
a previously received message. 
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Table 5.1.2.3.1/4: STa Authorization response 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Registration 
Result 


Result Code/ 
Experimental 
Result Code 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for STa errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP 


Request-Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE_ONLY. See IETF RFC 4072 [5]. 


Session Alive 
Time 


Session- 
Timeout 





This AVP may be present if the Result-Code AVP is set to DIAIVIETER 
_SUCCESS; if present, it shall contain the maximum number of seconds the 
user session is allowed to remain active. This AVP is defined in IETF RFC 
3588 [7]. 


Accounting 
Interim Interval 


Acct-lnterim- 
Interval 





If present, this IE shall contain the Charging duration. 


APN-OI 
replacement 


APN-OI- 
Replacement 


c 


This AVP shall indicate the domain name to replace the APN-OI in the non- 
roaming case or in the home routed roaming case when constructing the 
PDN GW FQDN upon which it needs to perform a DNS resolution. See 
3GPP TS 23.003 [3]. It shall only be included if PMIPv6 is used and the 
Result-Code AVP is set to DIAMETER SUCCESS. 


APN and PGW 
Data 


APN- 
Configuration 


c 


This information element shall only be sent if the Result-Code AVP is set to 

DIAMETER_SUCCESS. 

When PMIPv6 is used, this AVP shall contain the default APN, the list of 

authorized APNs, user profile information and PDN GW information. 

When local IP address assignment is used, this AVP shall only be present if 

DHCP based Home Agent discovery is used and contain the Home Agent 

Information for discovery purposes. 

The Trusted Non-3GPP GW knows if PMIPv6 is used or if a local IP address 

is assigned based on the flags in the MIP6-Feature-Vector received during 

the STa access authentication and authorization procedure. 

APN-Configuration is a grouped AVP, defined in 3GPP TS 29.272 [29]. 

When PMIPv6 is used, the following information elements per APN may be 

included: 

-APN 

- Authorized 3GPP QoS profile 

- Statically allocated User IP Address (IPv4 and/or IPv6) 

- Allowed PDN types (IPv4, IPv6, IPv4v6, IPv4_OR_IPv6) 

- PDN GW identity 

- PDN GW allocation type 

- VPLMN Dynamic Address Allowed 

When DSMIPv6 with HA discovery based on DHCPv6 is used, the following 
information elements per Home Agent may be included: 

- HA-APN 

- Authorized 3GPP QoS profile 

- PDN GW identity 


UE Charging 
Data 


3GPP- 

Charging- 

Characteristics 





If present, this information element shall contain the type of charging method 
to be applied to the user (see 3GPP TS 29.061 [31]). 


UEAMBR 


AMBR 


c 


This Information Element shall contain the modified UE AMBR of the user. It 
shall be present if the Result-Code AVP is set to DIAMETER SUCCESS 
andANIDis"HRPD". 


IVIobility 
Capabilities 


MIP6-Feature- 
Vector 


c 


This information element shall only be sent if it has been received in the 

corresponding authorization request and the Result-Code AVP is set to 

DIAMETER SUCCESS. 

When included, the PMIP SUPPORTED and the 

OPTIMIZED IDLE MODE MOBILITY flags shall be set. 
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Table 5.1.2.3.1/5: STa Access Authentication and Authorization Request 



Information element 
name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in 
IETF RFC 4282 [15] and shall be formatted as defined in clause 
19of3GPPTS23.003[14]. 


EAP payload 


EAP-payload 


M 


This IE shall contain the Encapsulated EAP payload used for 
the UE - 3GPP AAA Server mutual authentication 


Authentication Request 
Type 


Auth-Request- 
Type 


M 


This IE shall define whether the user is to be authenticated only, 
authorized only or both. In this case, it shall have the value 
AUTHORIZE AUTHENTICATE. 
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Table 5.1.2.3.1/6: Trusted non-3GPP Access Authentication and Authorization Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in IETF 
RFC 4282 [1 5] and it shall be formatted as defined in clause 1 9 of 
3GPPTS 23.003 [14]. 


EAP payload 


EAP payload 


M 


This IE shall contain the Encapsulated EAP payload used for UE- 
3GPP AAA Server mutual authentication. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE AUTHENTICATE. See 
IETF RFC 4072 [5]. 


Result code 


Result-Code / 
Experimental 
Result Code 


M 


This IE shall contain the result of the operation. Result codes are 
as in Diameter Base Protocol (IETF RFC 3588 [7]). Experimental- 
Result AVP shall be used for STa errors. This is a grouped AVP 
which shall contain the 3GPP Vendor ID in the Vendor-Id AVP, 
and the error code in the Experimental-Result-Code AVP. 


Session Alive Time 


Session-Timeout 





This AVP may be present if the Result-Code AVP is set to 
DIAIVIETER _SUCCESS; if present, it contains the maximum 
number of seconds the user session is allowed to remain active. 
This AVP is defined in IETF RFC 3588 [7]. 


Accounting Interim 
Interval 


Accounting 
Interim-Interval 





If present, this IE shall contain the Charging duration. 


Pairwise IVIaster Key 


EAP-Master- 
Session-Key 


c 


This IE shall be sent if Result-Code AVP is set to 
DIAMETER SUCCESS. 


Default APN 


Context-Identifier 


c 


This AVP shall indicate the default APN for the user. It shall only 
be included if PIVIIPv6 is used and the Result-Code AVP is set to 
DIAMETER SUCCESS. 


APN-OI replacement 


APN-OI- 
Replacement 


c 


This AVP shall indicate the domain name to replace the APN-OI 
in the non-roaming case or in the home routed roaming case 
when constructing the PDN GW FODN upon which it needs to 
perform a DNS resolution. See 3GPP TS 23.003 [3]. It shall only 
be included if PMIPv6 is used and the Result-Code AVP is set to 
DIAMETER SUCCESS. 


APN and PGW Data 


APN- 
Configuration 


c 


This information element shall only be sent if the non-3GPP 

access network was decided to be trusted and the Result-Code 

AVP is set to DIAMETER_SUCCESS. 

When PMIPv6 is used this AVP shall contain the default APN, the 

list of authorized APNs, user profile information and PDN GW 

information. 

When local IP address assignment is used, this AVP shall only be 

present if DHCP based Home Agent discovery is used and 

contain the Home Agent Information for discovery purposes. 

The AGW knows if PMIPv6 is used or if a local IP address is 

assigned based on the flags in the MIP6-Feature-Vector. 

APN-Configuration is a grouped AVP, defined in 3GPP TS 

29.272 [29]. When PMIPv6 is used, the following information 

elements per APN may be included: 

-APN 

- Authorized 3GPP OoS profile 

- User IP Address (IPv4 and/or IPv6) 

- Allowed PDN types (IPv4, IPv6, IPv4v6, IPv4 OR IPv6) 

- PDN GW identity 

- PDN GW allocation type 

- VPLMN Dynamic Address Allowed 

- APN-AMBR 

When DSMIPv6 with HA discovery based on DHCPv6 is used, 
the following information elements per Home Agent may be 
included: 

- HA-APN 

- Authorized 3GPP OoS profile 

- PDN GW identity 


UE Charging Data 


3GPP-Charging- 
Characteristics 





If present, this information element shall contain the type of 
charging method to be applied to the user (see 3GPP TS 29.061 
[31]). 
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UEAMBR 


AMBR 


C 


This Information Element shall contain the UE AMBR of the user. 
It shall be present only if the non-3GPP access network was 
decided to be trusted, the Result-Code AVP is set to 
DIAMETER SUCCESS and ANID is "HRPD". 


FA-RK 


MIP-FA-RK 


C 


This AVP shall be present if MIPv4 is used, MN-FA 
authentication extension is supported and the Result-Code AVP 
is set to DIAMETER SUCCESS. 


FA-RK-SPI 


MIP-FA-RK-SPI 


C 


This AVP shall be present if MIP-FA-RK is present 



5.1.2.3.2 



3GPP AAA Server Detailed Behaviour 



Handling of Re-Auth Request: 

The 3GPP AAA Server shall make use of this procedure to indicate the following: 

If the relevant service authorization information shall be updated in the Trusted non-3GPP GW, the 
Re-Auth-Request-Type shall be set to AUTHORIZE_ONLY. This procedure may be triggered by the HSS 
sending a subscription data update (refer to clause 8.1.2.3) or by local policies, e.g. periodic re-authorization 
configured by the operator. As for the STa reference point, only a single Diameter authorization session is used 
for a user, this procedure is initiated for all the PDN connections of this user, i.e. a single instance of Re- 
authorization Request shall be used per user. 

If the re-authentication and re-authorization of the user shall be executed, the Re-Auth-Request-Type shall be 
set to AUTHORIZE_AUTHENTICATE. This procedure may be triggered e.g. by the expiration of a timer 
started at the successful completion of the last (re-)authentication of the user, depending on the local policies 
configured in the 3GPP AAA Server. 

Handling of Authorization Request: 

The 3GPP AAA Server shall check that the user exists in the 3GPP AAA Server. The check shall be based on Diameter 
Session-Id. If not, Experimental-Result-Code shall be set to DIAMETER_ERROR_USER_UNKNOWN. If the user 
exists, the 3GPP AAA Server shall perform the authorization checking described in chapter 5.1.2.1.2. 

If the Authorization request contained the MIP6-Feature-Vector with the OPTIMIZED_IDLE_MODE_MOBILITY flag 
set, the AAA server shall request the user data from the HSS, in order to retrieve up-to-date PDN GW information. 

Handling of Authentication and Authorization Requests: 

The 3GPP AAA Server shall execute the re-authentication of the user, using a full authentication or fast re- 
authentication, as described in 3GPP TS 33.402 [19], clause 6.2 and 6.3. If full authentication is executed and there are 
no valid authentication vectors for the given non-3GPP access network available in the 3GPP AAA Server, it shall fetch 
authentication vectors from the HSS. A combined authentication and authorization shall be executed, with reduced 
message content described in Tables 5.1.2.3.1/5 and 5.1.2.3.1/6. The QoS-Capability, Access Network Identity, Access 
Type, Visited Network Identifier, Terminal Information elements received during the initial authentication and 
authorization procedure as well as the trustworthiness of the non-3GPP AN and the IP mobility mode selected during 
that procedure shall be considered as valid. If re-authentication of the user is successful and MIPv4 FACo A mode is 
used the 3GPP AAA Server shall create the MIPv4 FACoA security parameters as defined in 3GPP TS 33.402 [19]. 

If the re-authentication of the user is unsuccessful, the 3GPP AAA Server shall: 

Terminate all S6b authorization sessions connected to the user, as described in clause 9.1.2.4 

- Remove all APN-PDN GW bindings from the HSS, as described in subclauses 8.1.2.2.2.1 and 8.1.2.2.2.2. 

De-register the user from the HSS, as described in subclauses 8.1.2.2.2.1 and 8.1.2.2.2.2. Depending on the 
cause of the re-authentication being unsuccessful, the Server Assignment Type shall be set to 
AUTHENTICATION_FAILURE or AUTHENTICATION_TIMEOUT. 

Release all resources connected to the user. 



5.1.2.3.3 



3GPP AAA Proxy Detailed Behaviour 



The 3GPP AAA Proxy is required to handle roaming cases in which the Non-3GPP GW is in the VPLMN. The 3GPP 
AAA Proxy shall act as a stateful proxy, with the following additions. 
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When forwarding the authorization answer or the authentication and authorization answer, the 3GPP AAA Proxy 

shall check locally configured information for the maximum allowed static QoS parameters valid for visitors 
from the given HPLMN and modify the QoS parameters received from the 3GPP AAA Server, to enforce the 
policy limitations. 

shall record the state of the connection (i.e. Authentication and Authorization Successful). 



5.1.2.3.4 



Trusted Non-3GPP Access Network Detailed Behaviour 



Upon receiving the re-auth request, the Trusted non-3GPP GW shall perform the following checks and if an error is 
detected, the non-3GPP access network shall stop processing the request and return the corresponding error code. 

Check the Re-Auth-Request-Type AVP: 

1) If it indicates AUTHENTIC ATE_ONLY, Result-Code shall be set to DIAMETER_INVALID_AVP_VALUE. 

2) If it indicates AUTHORIZE_AUTHENTICATE, the authentication and authorization of the user is initiated, as 
defined in 3GPP TS 33.402, with the Diameter message contents described by Tables 5.1.2.3.1/5 and 5.1.2.3.1/6. 

3) If it indicates AUTHORIZE_ONLY, the non-3GPP GW shall just perform an authorization procedure as 

described by Tables 5.1.2.3.1/3 and 5.1.2.3.1/4. 

After successful authorization or authentication and authorization procedure, the trusted non-3GPP GW shall overwrite, 
for the subscriber identity indicated in the request and the received session, the current authorization information with 
the information received from the 3GPP AAA Server. 

The release of a PDN connection shall be initiated if the user's subscription for the APN belonging to an active PDN 
connection has been terminated. 

If the authorization or authentication and authorization procedure was unsuccessful, the non-3GPP access shall detach 
the user from the non-3GPP access network and release all resources. If the trusted non-3GPP access supports 
emergency services for users in limited service state, and there is an emergency PDN connection active for such user, 
the non-3GPP access network shall keep the user attached in the non-3GPP access and the emergency PDN connection 
active. The non-emergency resources shall be released. 

The Trusted Non-3GPP GW shall initiate the re-authorization of the user in a one-step procedure (i.e. without receiving 
a re-authorization request from the AAA Server) if the PDN GW information needs to be updated for optimized idle 
mode mobility from E-UTRAN to HRPD access. 



5.1.2.4 



Non-3GPP Access Network Initiated Session Termination 



5.1.2.4.1 



General 



The STa reference point allows the non-3GPP access network to inform the 3GPP AAA server that the session 
resources of the non-3GPP access network assigned to a given user are being released. 

The procedure shall be initiated by the non-3GPP access network and removes non-3GPP access information from the 
3GPP AAA Server. These procedures are based on the reuse of Diameter Base IETF RFC 3588[7] STR and STA 
commands 

Table 5.1.2.4.1/1 : STa Session Termination Request 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user (i.e. an IMSI in 
EPC root NAI format as defined in 3GPP TS 23.003 [14]). 


Termination 
Cause 


Termination- 
Cause 


M 


This IE shall contain the reason for the disconnection. 
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Table 5.1.2.4.1/2: STa Session Termination Answer 



Information 


Mapping to 


Cat. 


Description 


Element name 


Diameter AVP 






Result 


Result-Code / 


M 


This IE shall contain the result of the operation. 




Experimental- 




The Result-Code AVP shall be used for errors as defined in the Diameter 




Result 




Base Protocol. 

The Experimental-Result AVP shall be used for S6b errors. 



5.1 .2.4.2 3GPP AAA Server Detailed Behaviour 

Upon reception of the Session Termination Request message from the non-3GPP access network, the 3GPP AAA 
Server shall check that there is an ongoing session associated to the two parameters received (Session-Id and User- 
Name). 

If an active session is found and it belongs to the user identified by the User-Name parameter, the 3GPP AAA Server 
shall deregister itself as the managing 3GPP AAA Server for the subscriber following the procedures listed in 8.1.2.2.2. 
In case of a deregistration success, the 3GPP AAA Server shall release the session resources associated to the specified 
session and a Session Termination Response shall be sent to the non-3GPP access network, indicating 
DIAMETER_SUCCESS. If deregistration from the HSS fails, the 3GPP AAA Server shall return a Session- 
Termination Response with the Diameter Error DIAMETER_UNABLE_TO_COMPLY. 

Otherwise, the 3GPP AAA Server returns a Session Termination Response with the Diameter Error 
DIAMETER_UNKNOWN_SESSION_ID 

5.1 .2.4.3 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy is required to handle roaming cases in which the non-3GPP access network is located in the 
VPLMN. The 3GPP AAA Proxy shall act as a stateful proxy. 

On receipt of the Session Termination Request message from the non-3GPP access network, the 3GPP AAA Proxy 
shall route the message to the 3GPP AAA Server. 

On receipt of the Session Termination Answer message from the 3GPP AAA Server, the 3GPP AAA Proxy shall route 
the message to the non-3GPP access network and it shall release any local resources associated to the specified session 
only if the result code is set to DIAMETER_SUCCESS. 

5.2 Protocol Specification 
5.2.1 General 

The STa reference point shall be based on Diameter, as defined in IETF RFC 3588 [7] and contain the following 
additions and extensions: 

IETF RFC 4005 [4], which defines a Diameter protocol application used for Authentication, Authorization 
and Accounting (AAA) services in the Network Access Server (NAS) environment. 

IETF RFC 4072 [5], which provides a Diameter application to support the transport of EAP (IETF RFC 3748 
[8]) frames over Diameter. 

IETF RFC 5779 [2], which defines a Diameter extensions and application for PMIPv6 MAG to AAA and 
LMA to AAA interfaces. 

- IETF RFC 5447 [6], which defines Diameter extensions for Mobile IPv6 NAS to AAA interface. 

In the case of a trusted non-3GPP IP access where PMIPv6 is used as mobility protocol, the MAG to 3GPP AAA server 
or the MAG to 3GPP AAA proxy communication shall use the MAG to AAA interface functionality defined in IETF 
RFC 5779 [2] and the NAS to AAA interface functionality defined in IETF RFC 5447 [6]. 

The MAG to AAA interface functionality over the STa reference defines a new Application Id: 

- "STa" with value 16777250. 



£75/ 



3GPP TS 29.273 version 10.7.0 Release 10 



37 



ETSI TS 129 273 VI 0.7.0 (2012-10) 



The STa application reuses existing EAP (IETF RFC 4072 [5]) application commands, command ABNFs, and 
application logic and procedures. 

5.2.2 Commands 



5.2.2.1 



Commands for STa PMIPv6 authentication and authorization procedures 



5.2.2.1.1 



Diameter-EAP-Request (DER) Command 



The Diameter-EAP-Request (DER) command, indicated by the Command-Code field set to 268 and the "R" bit set in 
the Command Flags field, is sent from a non-3GPP access network NAS to a 3GPP AAA server. The ABNF is re-used 
from the IETF RFC 5779 [2]. 

< Diameter-EAP-Request > ::= < Diameter Header: 268, REQ, PXY, 16777250 > 

< Session-Id > 
Auth-Application-Id } 
Origin-Host } 
Origin-Realm } 
Destination-Realm } 
Auth-Request-Type } 
EAP-Payload } 
' User-Name ] 
CalHng-Station-Id ] 

RAT-Type ] 
AMD] 

QoS-CapabiHty ] 
MIP6-Feature-Vector ] 
Visited-Network-Identifier ] 
Service-Selection ] 
Terminal-Information ] 
*[ Supported-Features ] 



5.2.2.1.2 



>■■[ AVP ] 



Dlameter-EAP-Answer (DEA) Command 



The Diameter-EAP- Answer (DEA) command, indicated by the Command-Code field set to 268 and the "R" bit cleared 
in the Command Flags field, is sent from a 3GPP AAA Server to a non-3GPP access network NAS. The ABNF is re- 
used from the IETF RFC 5779 [2]. The ABNF also contains AVPs that are reused from IETF RFC 4072 [5]. 

< Diameter-EAP- Answer > ::= < Diameter Header: 268, PXY, 16777250 > 

< Session-Id > 
{ Auth-Application-Id } 
{ Result-Code } 
[ Experimental-Result ] 
{ Origin-Host } 
{ Origin-Realm } 
{ Auth-Request-Type } 
{ EAP-Payload } 
[ User-Name ] 
[ Session-Timeout ] 
[ Accounting-Interim-Interval ] 
[ EAP-Master-Session-Key ] 
[ Context-Identifier ] 
[ APN-OI-Replacement ] 
*[ APN-Configuration ] 
[MIP6-Agent-Info ] 
[ MIP6-Feature-Vector ] 
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[ Mobile-Node-Identifier ] 

[ 3GPP-Charging-Characteristics ] 

[ AMBR ] 

*[ Redirect-Host ] 

[ AN-Tmsted ] 

*[ Supported-Features ] 

[MIP-FA-RK] 

[MIP-FA-RK-SPI] 

*[ AVP ] 



5.2.2.2 



Commands for STa HSS/AAA Initiated Detach for Trusted non-3GPP Access 



5.2.2.2.1 



Abort-Session-Request (ASR) Command 



The Abort-Session-Request (ASR) command, indicated by the Command-Code field set to 274 and the "R" bit set in the 
Command Flags field, is sent from a 3GPP AAA Server/Proxy to a non-3GPP access network NAS. ABNF for the ASR 
commands is as follows: 



< Abort-Session-Request > ::= 



< Diameter Header: 274, REQ, PXY, 16777250 > 

< Session-Id > 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Destination-Host } 

{ Auth-Application-Id } 

[ User-Name ] 

[ Auth-Session-State ] 



*[ AVP ] 



5.2.2.2.2 



Abort-Session-Answer (ASA) Command 



The Abort-Session- Answer (ASA) command, indicated by the Command-Code field set to 274 and the "R" bit cleared 
in the Command Flags field, is sent from a non-3GPP access network NAS to a 3GPP AAA Server/Proxy. ABNF for 
the ASA commands is as follows: 



< Abort-Session- Answer > ::= 



< Diameter Header: 274, PXY, 16777250 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 



5.2.2.2.3 



*[ AVP ] 

Session-Termination-Request (STR) Command 



The Session-Termination-Request (STR) command, indicated by the Command-Code field set to 275 and the "R" bit set 
in the Command Flags field, is sent from a trusted non-3GPP GW to a 3GPP AAA Server/Proxy. The Command Code 
value and ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Request command. 
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<Session-Termination-Request> ::= 



< Diameter Header: 275, REQ, PXY, 16777250 > 

< Session-Id > 

{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Application-Id } 
{ Termination-Cause } 
[ User-Name ] 



5.2.2.2.4 



*[ AVP ] 

Session-Termination-Answer (STA) Command 



The Session-Termination- Answer (STA) command, indicated by the Command-Code field set to 275 and the "R" bit 
cleared in the Command Flags field, is sent from a 3GPP AAA Server/Proxy to a trusted non-3GPP GW. The 
Command Code value and ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Answer command. 

<Session-Termination-Answer> ::= < Diameter Header: 275, PXY, 16777250 > 

< Session-Id > 
{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 
*[ AVP ] 



5.2.2.3 



Commands for Re-Authentication and Re-Authorization Procedure 



5.2.2.3.1 



Re-Auth-Request (RAR) Command 



The Diameter Re-Auth-Request (RAR) command, indicated by the Command-Code field set to 258 and the "R" bit set 
in the Command Flags field, is sent from a 3GPP AAA Server to a Trusted Non-3GPPGW. ABNF for the RAR 
command is as follows: 



< Re-Auth-Request > ::= 



< Diameter Header: 258, REQ, PXY, 16777250 > 

< Session-Id > 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Destination-Host } 

{ Auth-Application-Id } 

{ Re-Auth-Request-Type } 

[ User-Name ] 



5.2.2.3.2 



*[ AVP ] 

Re-Auth-Answer (RAA) Command 



The Diameter Re-Auth-Answer (ASA) command, indicated by the Command-Code field set to 258 and the "R" bit 
cleared in the Command Flags field, is sent from a Trusted Non-3GPP GW to a 3GPP AAA Server/Proxy. ABNF for 
the RAA commands is as follows: 



< Re-Auth-Answer > ::= 



< Diameter Header: 258, PXY, 16777250 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 



5.2.2.3.3 



*[ AVP ] 

AA-Request (AAR) Command 



The AA-Request (AAR) command, indicated by the Command-Code field set to 265 and the "R" bit set in the 
Command Flags field, is sent from a Trusted Non-3GPP GW to a 3GPP AAA Server/Proxy. The ABNF is re-used from 
IETF RFC 4005 [4], adding AVPs from IETF RFC 5779 [2]. 
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< AA-Request > ::= < Diameter Header: 265, REQ, PXY, 16777250 > 

< Session-Id > 

{ Auth-Application-Id } 
{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Request-Type } 
[ Destination-Host ] 
[ User-Name ] 

[ MIP6-Feature-Vector ] 

*[ AVP ] 

5.2.2.3.4 AA-Answer (AAA) Command 

The AA-Answer (AAA) command, indicated by the Command-Code field set to 265 and the "R" bit cleared in the 
Command Flags field, is sent from a 3GPP AAA Server/Proxy to a Trusted Non-3GPP GW. The ABNF is re-used from 
IETF RFC 4005 [4], adding AVPs from IETF RFC 5779 [2]. 

< AA-Answer > ::= < Diameter Header: 265, PXY, 16777250 > 

< Session-Id > 

{ Auth-Application-Id } 
{ Auth-Request-Type } 
{ Result-Code } 
[ Experimental-Result ] 
{ Origin-Host } 
{ Origin-Realm } 
[ Session-Timeout ] 
[ Accounting-Interim-Interval ] 
[ Context-Identifier ] 
[ APN-OI-Replacement ] 
*[ APN-Configuration ] 
[ 3GPP-Charging-Characteristics ] 

*[ AVP ] 

5.2.2.3.5 Diameter-EAP-Request (DER) Command 

Refer to clause 5.2.2.1.1 

5.2.2.3.6 Diameter-EAP-Answer (DEA) Command 

Refer to clause 5.2.2.1.2 

5.2.2.4 Commands for Trusted non-3GPP Access network Initiated Session 

Termination 

5.2.2.4.1 Session-Termination-Request (STR) Command 

The Session-Termination-Request (STR) command, indicated by the Command-Code field set to 275 and the "R" bit set 
in the Command Flags field, is sent from a non-3GPP GW to a 3GPP AAA server. The Command Code value and 
ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Request command. 
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<Session-Termination-Request> ::= 



< Diameter Header: 275, REQ, PXY, 16777250 > 

< Session-Id > 

{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Application-Id } 
{ Termination-Cause } 
[ User-Name ] 



5.2.2.4.2 



*[ AVP ] 

Session-Termination-Answer (STA) Command 



The Session-Termination- Answer (STA) command, indicated by the Command-Code field set to 275 and the "R" bit 
cleared in the Command Flags field, is sent from a 3GPP AAA server to a non-3GPP GW. The Command Code value 
and ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Answer command. 

<Session-Termination-Answer> ::= < Diameter Header: 275, PXY, 16777250 > 

< Session-Id > 
{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 



•=[ AVP : 



5.2.3 Information Elements 



5.2.3.1 



General 



The following table describes the Diameter AVPs defined for the STa interface protocol in PMIPv6 mode, their AVP 
Code values, types, possible flag values and whether or not the AVP may be encrypted. 

Table 5.2.3.1/1 : Diameter STa AVPs 











AVP Flag rules 




Attribute Name 


AVP 
Code 


Section 
defined 


Value Type 


Must 


May 


Should 
not 


Must 
not 


May 
Encr. 


APN-Configuration 


1430 


8.2.3.7 


Grouped 


M 








No 


MIP6-Feature-Vector 


124 


5.2.3.3 


Unsigned64 


M 






V 


No 


QoS-Capability 


578 


5.2.3.4 


Grouped 


M 






V 


No 


RAT-Type 


1032 


5.2.3.6 


Enumerated 


M,V 


P 






Y 


Visited-Network- 
Identifier 


600 


9.2.3.1.2 


OctetString 


M,V 








No 


ANID 


1504 


5.2.3.7 


UTFBString 


M, V 








No 


Service-Selection 


493 


5.2.3.5 


UTF8String 


M 


P 




V 


No 


IVIobile-Node-ldentifier 


506 


5.2.3.2 


UTFSString 


M 


P 




V 


No 


AN-Trusted 


1503 


5.2.3.9 


Enumerated 


M, V 


P 






No 


MIP-FA-RK 


TBD 


5.2.3.12 


OctetString 


M,V 


P 






Y 


MIP-FA-RK-SPI 


TBD 


5.2.3.13 


Unsigned32 


M,V 


P 






Y 



The following table describes the Diameter AVPs re-used by the STa interface protocol from existing Diameter 
Applications, including a reference to their respective specifications and when needed, a short description of their use 
within STa. Other AVPs from existing Diameter Applications, except for the AVPs from Diameter Base Protocol, do 
not need to be supported. 
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Table 5.2.3.1/2: STa re-used Diameter AVPs 



Attribute Name 


Reference 


Comments 


Accounting-Interim-Interval 


IETF RFC 3588 [7] 




Auth-Request-Type 


IETF RFC 3588 [7] 




Calling-Station-ld 


IETF RFC 4005 [4] 




EAP-Master-Session-Key 


IETF RFC 4072 [5] 




EAP-Payload 


IETF RFC 4072 [5] 




RAT-Type 


3GPPTS29.212[23] 




Re-Auth-Request-Type 


IETF RFC 3588 [7] 




Session-Timeout 


IETF RFC 3588 [7] 




User-Name 


IETF RFC 3588 [7] 




Terminal-Information 


3GPP TS 29.272 [29] 




MIP6-Agent-lnfo 


IETF RFC 5447 [6] 




APN-OI-Replacement 


3GPP TS 29.272 [29] 




Supported-Features 


3GPP TS 29.229 [24] 




Feature-List-ID 


3GPP TS 29.229 [24] 


See section 5.2.3.10 


Feature-List 


3GPP TS 29.229 [24] 


See section 5.2.3.11 



Only those AVP initially defined in this reference point or AVP with values initially defined in this reference point and 
for this procedure are described in the following subchapters. 

5.2.3.2 Mobile-Node-ldentifier 

The Mobile-Node-Identifier AVP (AVP Code 506) is of type UTFSString. 

The Mobile-Node-Identifier AVP is returned in an answer message that ends a successful authentication (and possibly 
an authorization) exchange between the AAA client and the AAA server. The returned Mobile Node Identifier may be 
used as the PMIPv6 MN-ID or as the MIPv4 MN-NAI. 

The Mobile-Node-Identifier is defined on IETF RFC 5779 [2]. 



5.2.3.3 



MIP6-Feature-Vector 



The MIP6-Feature- Vector AVP (AVP Code 124) is of type Unsigned64 and contains a 64 bit flags field of supported 
mobile IP capabilities of the non-3GPP GW (when this AVP is used in the request commands) and the mobile IP 
capabilities the 3GPP AAA Server has authorized (when this AVP is used in the response commands). 

The following capabilities are defined for STa interface: 

- MIP6_INTEGRATED (0x0000000000000001) 

This flag is set by the non-3GPP GW and the 3GPP AAA Server. It means that the Mobile IPv6 integrated 
scenario bootstrapping functionality is supported. 

- PMIP6_SUPPORTED (0x0000010000000000) 

When this flag is set by the non-3GPP GW it indicates to the 3GPP AAA Server that it supports PMIPv6. 
When this flag is set by the 3GPP AAA Server it indicates to the non-3GPP GW that NBM shall be used. 

- ASSIGN_LOCAL_IP (0x0000080000000000) 

This flag is set by the 3GPP AAA Server. When this flag is set by the 3GPP AAA Server it indicates to the non- 
3GPP GW that the non-3GPP GW shall assign to the user a local IP address. 

- MIP4_SUPPORTED (0x0000100000000000) 

This flag is set by the non-3GPP GW, the PDN GW and the 3GPP AAA Server. When this flag is set by the non- 
3GPP GW it indicates to the 3GPP AAA Server that it supports MIPv4 FA-CoA mode. When this flag is set by 
the 3GPP AAA Server it indicates to the non-3GPP GW that MIPv4 FA-CoA mode shall be used. When this flag 
is set by the PDN GW and 3GPP AAA Server over the S6b interface, it shows that MIPv4 mobility protocol is 
used on the S2a interface. 

- OPTIMIZED_IDLE_MODE_MOBILITY (0x0000200000000000) 

This flag is set by the Trusted Non-3GPP GW if the PDN GW information needs to be updated for the case of 
idle mode mobility from E-UTRAN to HRPD access. 
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- GTPv2_SUPPORTED (0x0000400000000000) 

When this flag is set by the non-3GPP GW it indicates to the 3GPP AAA Server that it supports GTPv2. 
When this flag is set by the 3GPP AAA Server it indicates to the non-3GPP GW that NBM shall be used. 



5.2.3.4 QoS Capability 

This AVP is FFS 

5.2.3.5 Service-Selection 

The Service-Selection AVP is of type of UTFSString. This AVP contains an APN Network Identifier (i.e., an APN 
without the Operator Identifier), and it shall consist of one or more labels according to DNS naming conventions (IETF 
RFC 1035 [35]) describing the access point to the packet data network. 

The contents of the Service-Selection AVP shall be formatted as a character string composed of one or more labels 
separated by dots ("."). 

The Service-Selection AVP is defined in IETF RFC 5778 [II]. 

5.2.3.6 RAT-Type 

The RAT-Type AVP (AVP code 1032) is of type Enumerated and is used to identify the radio access technology that is 
serving the UE. It follows the specification described in TS 29.212 [23]. 

5.2.3.7 ANID 

The ANID AVP is of type UTFSString; this AVP contains the Access Network Identity; see 3GPP TS 24.302 [26] for 
defined values. 

5.2.3.8 AMBR 

Please refer to 3GPP TS 29.272 [29] for the encoding of this AVP. 

5.2.3.9 AN-Trusted 

The AN-Trusted AVP (AVP Code 1503) is of type Enumerated. 

The AN-Trusted AVP sent from the 3GPP AAA Server to the Non-3GPP access network conveys the decision about 
the access network being trusted or untrusted by the HPLMN. 

The following values are defined: 

TRUSTED (0) 
This value is used when the non-3GPP access network is to be handled as trusted. 

UNTRUSTED (1) 
This value is used when the non-3GPP access network is to be handled as untrusted. 

5.2.3.10 Feature-List-ID AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. For this release, the Feature-List-ID AVP value shall be set 
to I for the STa/SWa application. 

5.2.3.11 Feature-List AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. A null value indicates that there is no feature used by the 
STa/SWa application. 
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NOTE: There are no STa/SWa features defined for this release. 

5.2.3.12 MIP-FA-RK 

The MIP-FA-RK AVP is of type OctetString; this AVP contains the FA-RK used to calculate the security parameters 
needed for the MN-FA authentication extension as defined by 3GPP TS 33.402 [19]. 

5.2.3.13 MIP-FA-RK-SPI 

The MIP-FA-RK-SPI AVP is of type Unsigned32; this AVP contains the security index used in identifying the security 
context for the FA-RK as defined by 3GPP TS 33.402 [19]. 

5.2.4 Session Handling 

The Diameter protocol between the non-3GPP Access Gateway and the 3GPP AAA Server or 3GPP AAA Proxy, shall 
always keep the session state, and use the same Session-Id parameter for the lifetime of each Diameter session. 

A Diameter session shall identify a given user. In order to indicate that the session state is to be maintained, the 
Diameter client and server shall not include the Auth-Session-State AVP, either in the request or in the response 
messages (see IETF RFC 3588 [7]). 



6 SWd Description 

6.1 Functionality 



6.1.1 General 

For a general description of the SWd reference point refer to 3GPP TS 23.234 [21], Section 6.3.11.1 "General 
Description of the Wd Reference Point". 

The functionality of the SWd reference point is to transport AAA messages similar to those provided in 3GPP TS 
23.234 [21], Section 6.3.11.2 with the following exceptions: 

Carrying charging signalling per user; 

Carrying keying data for the purpose of radio interface integrity protection and encryption; 

Carrying authentication data for the purpose of tunnel establishment, tunnel data authentication and encryption, 
for the case in which the ePDG is in the VPLMN; 

Carrying mapping of a user identifier and a tunnel identifier sent from the ePDG to the 3GPP AAA Proxy 
through the 3GPP AAA Server; 

Used for purging a user from the access network for immediate service termination; 

Enabling the identification of the operator networks amongst which the roaming occurs; 

Providing access scope limitation information to the access network based on the authorised services for each 
user (for example, IP address filters); 

If QoS mechanisms are applied: carrying data for AN QoS capabilities/policies (e.g. the supported 3GPP QoS 
profiles) within authentication request from 3GPP AAA Proxy to 3GPP AAA Server. 
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6.1.2 Procedures Description 

6.1 .2.1 Trusted non-3GPP Access / Access Gateway related procedures 

6.1 .2.1 .1 Trusted Non-3GPP Access Authentication and Authorization 

When used in connection with the STa interface, the SWd interface shall support the trusted non-3GPP access 
authentication and authorization procedure defined in clause 5.1.2.1. For this procedure, the 3GPP AAA Proxy shall 
forward the Diameter commands received from the 3GPP AAA Server and the trusted non-3GPP GW as a statefal 
Diameter proxy, with the following exceptions: 

The 3GPP AAA Proxy may reject an authentication and authorization request, if roaming is not allowed for the 
users of the given HPLMN. 

When forwarding an authentication and authorization request, the 3GPP AAA Proxy shall check the presence 
and value of the visited network identifier. If the AVP was missing, it shall insert it, if the AVP was present, it 
may overwrite the AVP value before forwarding the request. 

The 3GPP AAA Proxy may modify the service authorization information in the authentication and 
authorization answer that it forwards to the trusted non-3GPP access GW, in order to enforce the QoS 
limitations according to the local policies and the roaming agreement with the home operator. 

The 3GPP AAA Proxy may decide about the trustworthiness of the non-3GPP access from the VPLMN point of 
view and insert a trust relationship indicator to the authentication and authorization request. 

The 3GPP AAA Proxy shall decide about using the S2a-PMIP based S8 chaining and in case it has selected that option, 
it shall select the Serving GW to be invoked and it shall add the Serving GW address to the authentication and 
authorization answer that is sent upon successful completion of the authentication. 

Table 6.1.2.1.1/1 describes the trusted non-3GPP access authentication and authorization request forwarded on the SWd 
interface. 
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Table 6.1.2.1.1-1 : Trusted non-3GPP Access Authentication and Authorization Request on SWd 



Information element 
name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 
The identity shall be represented in NAI form as specified in 
IETF RFC 4282 [15] and shall be formatted as defined in 3GPP 
TS 23.003 [14]. 


EAP payload 


EAP-payload 


M 


This IE shall contain the Encapsulated EAP payload used for 
the UE - 3GPP AAA Server mutual authentication 


Authentication Request 
Type 


Auth-Request- 
Type 


M 


This IE shall define whether the user is to be authenticated only, 
authorized only or both. AUTHORIZE_AUTHENTICATE shall 
be used in this case. 


UE Layer-2 address 


Calling-Station-ID 


M 


This IE shall contain the Layer-2 address of the UE. 


Supported 3GPP QoS 
profile 


QoS-Capability 





If the trusted non-3GPP Access supports QoS mechanisms, 
this information element may be included to contain the access 
network"s QoS capabilities as defined in IETF RFC 5777 [9]. 


IVIobility Capabilities 


IVIIP6-Feature- 
Vector 


C 


This information element shall contain the mobility capabilities 
of the trusted non-3GPP access network, if dynamic mobility 
mode selection is done. The PIVIIP6_SUPP0RTED flag shall be 
set if the trusted non-3GPP access supports PIVIIPvS (see IETF 
RFC 5779 [2]). The flag MIP6_INTEGRATED shall be set if 
DHCPv6 based Home Agent address discovery is supported as 
defined in IETF RFC 5447 [6]. 


Access Type 


RAT-Type 


M 


This IE shall contain the trusted non-3GPP access network 
technology type that is serving the UE. 


Access Network Identity 


ANID 


M 


This IE shall contain the access network identifier used for key 
derivation at the HSS. (See 3GPP TS 24.302 [26] for all 
possible values) 


Visited Network Identifier 


Visited-Network- 
Identifier 


M 


This IE shall contain the Identifier that allows the home network 
to identify the Visited Network. 


APN Id 


Service-Selection 





If present, this information element shall contain the Network 
Identifier part of the APN the user wants to connect to (if 
available). 


Terminal Information 


Terminal- 
Information 





If present, this information element shall contain information 
about the user"s mobile equipment. The type of identity carried 
depends on the access technology type. For HRPD access 
network, the 3GPP2-MEID AVP shall be included in this 
grouped AVP. 


Trust Relationship 
Indicator 


AN-Trusted 





If present. This AVP shall express the trusted/untrusted 
decision about the non-3GPP IP access, from the VPLMN's 
point of view. 



NOTE: For more details on the 3GPP AAA Proxy behaviour, refer to clause 5.1.2.1.3. 



6.1.2.1.2 



HSS/AAA Initiated Detach for Trusted non-3GPP Access 



When used in connection with the STa interface, the SWd interface shall support the HSS initiated detach procedure 
defined in clause 5.1.2.2. 

For this procedure, the 3GPP AAA Proxy shall forward the Diameter commands received from the 3GPP AAA Server 
and the access network GW as a stateful Diameter proxy. 



6.1.2.1.3 



Access and Service Authorization information update 



When used in connection with the STa interface, the SWd interface shall support the trusted non-3GPP access and 
service authorization information update procedure defined in clause 5.1.2.3. For this procedure, the 3GPP AAA Proxy 
shall forward the Diameter commands received from the 3GPP AAA Server and the trusted non-3GPP GW as a stateful 
Diameter proxy, with the following exceptions: 

When forwarding an authentication and authorization request, the 3GPP AAA Proxy shall check the presence 
and value of the visited network identifier. If the AVP was missing, it shall insert it, if the AVP was present, it 
may overwrite the AVP value before forwarding the request. 
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The 3GPP AAA Proxy may modify the service authorization information in the authentication and 
authorization answer that it forwards to the trusted non-3GPP access GW, in order to enforce the QoS 
limitations according to the local policies and the roaming agreement with the home operator. 

Table 6.1.2.1.3/1 describes the trusted non-3GPP access authorization request forwarded on the SWd interface. As the 
content is very similar to that of the request received on the STa interface, only those AVPs are listed that are handled 
differently on the two interfaces. 

Table 6.1.2.1.3/1: Trusted Non-3GPP Access Authorization Request on SWd interface 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


Request-Type 


Autfi-Req-Type 


M 


This IE shall contain the Authorization Request Type. The following values 

only shall be used: 

AUTHORIZE_ONLY 

This value shall indicate the initial request for authorization of the user to 

theAPN. 


Visited Network 
Identifier 


Visited- 

Network- 

Identifier 


M 


This IE shall contain an identifier that allows the home network to identify the 
Visited Network. 


Routing 
Information 


Destination- 
Host 


M 


This IE shall contain the 3GPP AAA Server name that is obtained from the 
Origin-Host AVP of a previously received message. 


Supported 
3GPP QoS 
profile 


QoS-Capability 





If the trusted non-3GPP Access supports QoS mechanisms, this information 
element may be included to contain the access network"s QoS capabilities 
as defined in IETF RFC 5777 [9]. 


Access Type 


RAT-Type 





If present, this IE contain the trusted non-3GPP access network access 
technology type that is serving the UE. 



NOTE: For more details on the 3GPP AAA Proxy behaviour, refer to clause 5. 1.2.3.3. 

6.1 .2.1 .4 Trusted non-3GPP Access Network Initiated Session Termination 

When used in connection with the STa reference point, the SWd reference point shall support the access network 
initiated session termination procedures as defined in clause 5.1.2.4 

For this procedure, the 3GPP AAA Proxy shall forward the Diameter commands received from the 3GPP AAA Server 
and the access network gateway as a stateful Diameter proxy. 

6.1 .2.2 Untrusted non-3GPP Access / ePDG related procedures 

When used in connection with the SWm reference point, the SWd reference point shall support the following 
procedures: 

Authentication procedures as defined in clause 7.1.2.1 

Authorization procedures as defined in clause 7.1.2.2 

Access network/ePDG initiated session termination procedures as defined in clause 7.1.2.3 

HSS/AAA initiated detach procedures as defined in clause 7.1.2.4 

Service authorization information update procedures as defined in clause 7.1.2.5 

For all these procedures, the 3GPP AAA Proxy shall forward the Diameter commands received from the 3GPP AAA 
Server and the ePDG as a stateful Diameter proxy, with the following exceptions: 

The 3GPP AAA Proxy may reject an authentication or an authorization request, if roaming is not allowed for 
the users of the given HPLMN. 
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The 3GPP AAA Proxy may modify the service authorization information in the authorization answer that it 
forwards to the ePDG, in order to enforce the QoS limitations according to the local policies and the roaming 
agreement with the home operator. 

The 3GPP AAA Proxy shall decide about using the S8-S2b chaining and in case it has selected that option, it 
shall select the Serving GW to be invoked and it shall add the Serving GW address to the authentication answer 
that is sent upon successful completion of the authentication. 

NOTE: For more detailed behavior of the 3GPP AAA Proxy, refer to subclauses 7.1.2.1.3 and 7. 1 .2.2.3 
respectively. 

6.1 .2.3 PDN GW related procedures 

When used in connection with the S6b reference point, the SWd reference point shall support the following procedures: 

Authentication and authorization procedures when using DSMIP as defined in clause 9.1.2.1 

Authorization procedures when using NBM as defined in clause 9.1.2.2 

PDN GW initiated session termination procedures as defined in clause 9.1.2.3 

HSS/AAA initiated detach procedures as defined in clause 9. 1 .2.4 

Service authorization information update procedures as defined in clause 9.1.2.5 

For all these procedures, the 3GPP AAA Proxy shall forward the Diameter commands received from the 3GPP AAA 
Server and the PDN GW as a stateful Diameter proxy, with the following exceptions: 

The 3GPP AAA Proxy may reject an authentication or authorization request, if roaming is not allowed for the 
users of the given HPLMN 

The 3GPP AAA Proxy may modify the service authorization information in the authorization answers that it 
forwards to the PDN GW, in order to enforce the QoS limitations according to the local policies and the 
roaming agreement with the home operator. 

NOTE: For more detailed behavior of the 3GPP AAA Proxy, refer to subclauses 9.1.2.1.4, 9.1.2.2.4, 9.1.2.3.4, 
and 9.1.2.4.4, respectively. 

6.2 Protocol Specification 
6.2.1 General 

The SWd reference point shall be based on Diameter, as defined in IETF RPC 3588 [7] and contain the following 
additions and extensions: 

IETF RFC 4005 [4], which defines a Diameter protocol application used for Authentication, Authorization 
and Accounting (AAA) services in the Network Access Server (NAS) environment. 

IETF RFC 4072 [5], which provides a Diameter application to support the transport of EAP (IETF RFC 3748 
[8]) frames over Diameter. 

IETF RFC 5779 [2], which defines Diameter extensions and application for PMIPv6 MAG to AAA and 
LMA to AAA interfaces. 

- IETF RFC 5447 [6], which defines Diameter extensions for Mobile IPv6 NAS to AAA interface. 

There is no separate application ID defined for the SWd interface. The application ID used by the 3GPP AAA Proxy 
depends on the command sent over SWd. 

NOTE: Even though the 3GPP AAA Proxy may add new AVPs to the Diameter commands forwarded to/from 
the 3GPP AAA Server, there is no AVP present in the SWd reference point that would not be present in 
the interface that is used in connection with it. Therefore, the same Application ID can be used. 
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6.2.2 Commands 



6.2.2.1 



Commands used in connection with the STa interface 



6.2.2.1.1 



Commands for STa PMIPv6 authentication and authorization procedures 



6.2.2.1.1.1 



Diameter-EAP-Request (DER) Command 



The Diameter-EAP-Request (DER) command, indicated by the Command-Code field set to 268 and the "R" bit set in 
the Command Flags field, is sent from a trusted non-3GPP access network NAS to a 3GPP AAA server. The ABNF is 
re-used from the IETF RFC 5779 [2]. 



< Diameter-EAP-Request > ::= 



< Diameter Header: 268, REQ, PXY, 16777250 > 

< Session-Id > 

{ Auth- Application-Id } 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Auth-Request-Type } 

{ EAP-Payload } 

[ User-Name ] 

[ CalHng-Station-Id ] 



[ RAT-Type ] 

[ ANID ] 

[ QoS-CapabiHty ] 

[ MIP6-Feature-Vector ] 

[ Visited-Network-Identifier ] 

[ Service-Selection ] 

[ Terminal-Information ] 

[ AN-Trusted ] 

*[ Supported-Features ] 

*[ AVP ] 



6.2.2.1.1.2 



Diameter-EAP-Answer (DEA) Command 



The Diameter-EAP-Answer (DEA) command, indicated by the Command-Code field set to 268 and the "R" bit cleared 
in the Command Flags field, is sent from a 3GPP AAA server to a 3GPP AAA Proxy. The ABNF is re-used from the 
IETF RFC 5779 [2]. The ABNF also contains AVPs that are reused from IETF RFC 4072 [5]. 



< Diameter-EAP-Answer > ::= 



< Diameter Header: 268, PXY, 16777250 > 

< Session-Id > 

{ Auth-Application-Id } 

{ Result-Code } 

[ Experimental-Result ] 

{ Origin-Host } 

{ Origin-Realm } 

{ Auth-Request-Type } 

{ EAP-Payload } 

[ User-Name ] 

[ Session-Timeout ] 

[ Accounting-Interim-Interval ] 

[ EAP -Master-Session-Key ] 

[ Context-Identifier ] 

[ APN-OI-Replacement ] 

*[ APN-Configuration ] 

[ MIP6-Feature-Vector ] 
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[ Mobile-Node-Identifier ] 

*[ Redirect-Host ] 

*[ Supported-Features ] 

*[ AVP ] 

6.2.2.1 .2 Commands for STa HSS/AAA Initiated Detach for Trusted non-3GPP Access 

The ABNFs defined for the STa interface in clause 5.2.2.2 and in its subclauses apply. 

6.2.2.1 .3 Commands for STa Access and Service Authorization Update Procedure 

The ABNFs defined for the STa interface in clause 5.2.2.3 and in its subclauses apply. 

6.2.2.1 .4 Commands for Trusted non-3GPP Access network Initiated Session Termination 

The ABNFs defined for the STa interface in clause 5.2.2.4 and in its subclauses apply. 

6.2.2.2 Commands used in connection with the SWm interface 

The ABNFs defined for the SWm interface in clause 7.2.2 and in its subclauses apply. 

6.2.2.3 Commands used in connection with the S6b interface 

The ABNFs defined for the S6b interface in clause 9.2.2 and in its subclauses apply. 

6.2.3 Information Elements 



6.2.3.1 



General 



The following table describes the Diameter AVPs defined for the SWd interface protocol in PMIPv6 mode, their AVP 
Code values, types, possible flag values and whether or not the AVP may be encrypted. 

Table 6.2.3.1/1 : Diameter SWd AVPs 











AVP Flag rules 




Attribute Name 


AVP 
Code 


Section 
defined 


Value Type 


Must 


May 


Should 
not 


Must 
not 


May 
Encr. 


APN-Configuration 


1430 


8.2.3.7 


Grouped 


M 








No 


MIP6-Feature-Vector 


124 


5.2.3.3 


Unsigned64 


M 






V 


No 


QoS-Capability 


578 


5.2.3.4 


Grouped 


M 






V 


No 


RAT-Type 


1032 


5.2.3.6 


Enumerated 


M,V 


P 






Y 


Visited-Network- 
Identifier 


600 


9.2.3.1.2 


OctetString 


M,V 








No 


ANID 


1504 


5.2.3.7 


UTFBString 


M, V 








No 


Service-Selection 


493 


5.2.3.5 


UTF8String 


M 


P 




V 


No 


IVlobile-Node-ldentifier 


506 


5.2.3.2 


UTFSString 


M 


P 




V 


No 


AN-Trusted 


1503 


5.2.3.9 


Enumerated 


M,V 


P 






No 



The following table describes the Diameter AVPs re-used by the SWd interface protocol from existing Diameter 
Applications, including a reference to their respective specifications and when needed, a short description of their use 
within SWd. Other AVPs from existing Diameter Applications, except for the AVPs from Diameter Base Protocol, do 
not need to be supported. 
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Table 6.2.3.1/2: SWd re-used Diameter AVPs 



Attribute Name 


Reference 


Comments 


Accounting-Interim-Interval 


IETF RFC 3588 [7] 




Auth-Request-Type 


IETF RFC 3588 [7] 




Calling-Station-ld 


IETF RFC 4005 [6] 




EAP-Master-Session-Key 


IETF RFC 4072 [5] 




EAP-Payload 


IETF RFC 4072 [5] 




RAT-Type 


3GPPTS29.212[23] 




Re-Auth-Request-Type 


IETF RFC 3588 [7] 




Session-Timeout 


IETF RFC 3588 [7] 




User-Name 


IETF RFC 3588 [7] 




Terminal-Information 


3GPPTS 29.272 29 




APN-OI-Replacement 


3GPPTS 29.272 29 




Supported-Features 


3GPPTS 29.229 24 


See NOTE 1 . 


Feature-List-ID 


3GPPTS 29.229 24 


See NOTE 1 . 


Feature-List 


3GPP TS 29.229 [24] 


See NOTE 1 . 


NOTE 1 : There is no separate Diameter application ID defined for the SWd interface so a separate 

supported feature list is not required. The supported features depend on the command being 
proxied over SWd. 



Only those AVP initially defined in this reference point and for this procedure are described in the following 
subchapters. 



SWm Description 



7.1 Functionality 



7.1.1 



General 



The SWm reference point is defined between the ePDG and the 3GPP AAA Server or between the ePDG and the 3GPP 
AAA Proxy. The definition of the reference point and its functionality is given in 3GPP TS 23.402 [3]. 

The SWm reference point shall be used to authenticate and authorize the UE. 

The SWm reference point is also used to transport NBM related mobility parameters in a case the UE attaches to the 
EPC via the S2b (based on PMIPv6 or GTPv2) and SWn reference points (i.e. IP Mobility Mode Selection 
information). 

Additionally the SWm reference point may also be used to transport DSMIPv6 related mobility parameters in case the 
UE attaches to the EPC using the S2c reference point. In particular, in this case the SWm reference point may be used 
for conveying the Home Agent IP address or FQDN from the AAA server to the ePDG for Home Agent discovery 
based on IKEv2 (see TS 24.303 [13]). 

7.1.2 Procedures Description 

7.1 .2.1 Authentication and Authorization Procedures 



7.1.2.1.1 



General 



The authentication and authorization procedure shall be used between the ePDG and 3GPP AAA Server/Proxy. When a 
PDN connection is activated by the UE an IKEv2 exchange shall be initiated. It shall be invoked by the ePDG, on 
receipt from the UE of a "tunnel establishment request" message. This shall take the form of forwarding an IKEv2 
exchange with the purpose of authenticating in order to set up an IKE Security Association (SA) between the UE and 
the ePDG. 

During the Access Authentication and Authorization procedure the ePDG may provide information on its PMIPv6 or 
GTPv2 capabilities to the 3GPP AAA Server. The 3GPP AAA Server may perform IP mobility mode selection between 
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NBM or HBM as specified in subclause 4. 1.3.2 of 3GPP TS 23.402 [3]. The 3GPP AAA Server may provide to the 
ePDG an indication if either NBM or local IP address assignment shall be used. If NBM shall be used, the ePDG then 
decides the S2b protocol variant to use. 

Upon a successful authorization, when NBM is used, the 3GPP AAA server shall return NBM related information back 
to the ePDG. This information may include the assigned PDN GW, UE IPv6 HNP and/or UE IPv4-HoA. 

Upon a successful authorization, when DSMIPv6 is used, to enable HA address discovery based on IKEv2 (see TS 
24.303 [13]), the 3GPP AAA server may also download PDN GW identity to the ePDG. 

The PDN Gateway identity is a FQDN and/or IP address of the PDN GW. If a FQDN is provided, the ePDG shall 
derive it to IP address according to the selected mobility management protocol. 

If DSMIPv6 is used, a single IKE S A is used for all PDN connections of the user. If PMIPv6 or GTPv2 is used, a 
separate IKE SA is created for each PDN connection of the user (refer to 3GPP TS 24.302 [26]). 

Each new additional IKE SA shall be handled in a different Diameter session. In such cases, the IP mobility mode 
selected during the first authentication and authorization procedure is valid for all PDN connections of the user, 
therefore, dynamic IP mobility mode selection is not executed during the further procedures. The ePDG may select the 
same or different S2b protocol variant(s) towards different PDN GWs when NBM has been selected. 

The S Wm reference point shall perform authentication and authorization based on the reuse of the DER/DEA command 
set defined in Diameter EAP application, IETF RFC 4072 [5]. 

Table 7.1.2.1.1/1: Authentication and Authorization Request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


EAP payload 


EAP- Payload 


M 


This information element shall contain the encapsulated EAP payload used 
for the UE - 3GPP AAA Server mutual authentication 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


This information element shall indicate whether authentication only or 
authentication and authorization are required. It shall have the value of 
AUTHORIZE AUTHENTICATE. 


APN 


Service- 
Selection 


C 


This information element shall contain the Network Identifier part of the APN 
for which the UE is requesting authorization. This AVP shall be present 
when the ePDG has received an APN from the UE in the IKEv2 signalling. 


Visited Network 
Identifier (See 
9.2.3.1.2) 


Visited- 

Network- 

Identifier 


C 


This information element shall contain the identifier that allows the home 
network to identify the Visited Network. 

This AVP shall be present if the ePDG is not in the UE's home network i.e. 
the UE is roaming. 


Access Type 


RAT-Type 


c 


This information element shall be present if the access type is known by the 
ePDG. If present, it shall contain the non-3GPP access network access 
technology type that is serving the UE. 


Mobility 
features 


MIP6-Feature- 
Vector 





This AVP shall be present, if the handling of any of the flags listed here 
requires dynamic (i.e. per user) handling for the VPLMN-HPLMN relation of 
the ePDG and 3GPP AAA Server. If present, the AVP shall contain the 
mobility features supported by the ePDG. Flags that are not relevant in the 
actual relation shall be set to zero. 

If dynamic IP mobility mode selection is used, the PMIP6 SUPPORTED flag 
and/or the GTPv2_SUPP0RTED flag shall be set by the ePDG if PMIPv6 
and/or GTPv2 are supported. PMIP6 SUPPORTED flag is defined in IETF 
RFC 5779 [2]. 

The MIP6_INTEGRATED flag shall be used to indicate to the 3GPP AAA 
server that the ePDG supports IKEv2 based Home Agent address 
discovery. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 
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Table 7.1.2.1.1/2: Authentication and Authorization Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


EAR payload 


EAP- Payload 


M 


This information element shall contain the encapsulated EAP payload used 
for UE - 3GPP AAA Server mutual authentication 


Master- 
Session-Key 


EAP-Master- 
Session-Key 


C 


This IE shall contain keying material for protecting the communication 
between the user and the ePDG. It shall be present when Result Code is set 
to DIAMETER SUCCESS. 


Result code 


Result-Code / 
Experimental- 
Result-Code 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol or as per in NASREQ. 


3GPP AAA 
Server Name 


Redirect-Host 


C 


This information element shall be sent if the Result-Code value is set to 
DIAMETER_REDIRECT_INDICATION. When the user has previously been 
authenticated by another 3GPP AAA Server, it shall contain the Diameter 
identity of the 3GPP AAA Server currently serving the user. The node 
receiving this IE shall behave as defined in the Diameter Base Protocol 
(IETF RFC 3588 [7]). The command shall contain zero or more occurrences 
of this information element. When choosing a destination for the redirected 
message from multiple Redirect-Host AVPs, the receiver shall send the 
Diameter request to the first 3GPP AAA Server in the ordered list received in 
the Diameter response. If no successful response to the Diameter request is 
received, the receiver shall send the Diameter request to the next 3GPP 
AAA Server in the ordered list. This procedure shall be repeated until a 
successful response is received from a 3GPP AAA Server. 


Mobility 
Capabilities 


MIP6-Feature- 
Vector 





This AVP shall be present if it was received in the authentication and 
authorization request and the authentication and authorization succeeded/ It 
shall contain the authorized mobility features. Flags that are not relevant in 
the actual relation shall be set to zero. 

The PMIP6_SUPP0RTED flag and/or the GTPv2_SUPP0RTED flag shall 
be set to indicate that NBM {PMIPv6 or GTPv2) is to be used. The 
ASSIGN_LOCAL_IP flag shall be set to Indicate that a local IP address is to 
be assigned. 

The MIP6_INTEGRATED flag shall be set if a Home Agent address is 
provided for IKEv2 based Home Agent address discovery. In the latter case 
HA information for IKEv2 discovery is provided via the APN-Configuration 
AVP. 


APN-OI 
replacement 


APN-OI- 
Replacement 


c 


This AVP shall indicate the domain name to replace the APN-OI in the non- 
roaming case or in the home routed roaming case when constructing the 
PDN GW FQDN upon which it needs to perform a DNS resolution. See 
3GPP TS 23.003 [3]. It shall only be included if NBM is used and the Result- 
Code AVP is set to DIAMETER SUCCESS. 


APN and PGW 
Data 


APN- 
Configuration 


c 


This information element shall only be sent if the Result-Code AVP is set to 

DIAMETER_SUCCESS. 

The APN-Configuration is a grouped AVP, defined in 3GPP TS 29.272 [29]. 

When NBM is used, the following information elements per APN may be 

included: 

-APN 

- APN-AMBR 

- Authorized 3GPP QoS Profile 

- User home IP Address (if static IPv4 and/or IPv6 is allocated to the UE's 
subscribed APN) 

- Allowed PDN types 

- PDN GW identity (if the PDN connection was active in case of HO, or if 
there is a static PDN GW allocated to the UE's subscribed APN) 

- PDN GW allocation type 

- VPLMN Dynamic Address Allowed 

- Visited Network Identifier 

When local IP address assignment is used, this AVP shall only be present if 
IKEv2 based Home Agent discovery is used and 

- if the PDN connection was active in case of HO, or 

- if there is static PDN GW allocated to the UE's subscribed APN, or 
In these cases, the following information elements shall be included: 

- HA-APN 

- PDN GW identity 


Trace 
information 


Trace-Info 


c 


This AVP shall be included if the subscriber and equipment trace has been 
activated for the user in the HSS and signalling based activation is used to 
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download the trace activation from the HSS to the ePDG. 

Only the Trace-Data AVP shall be included to the Trace-Info AVP and 

shall contain the following AVPs: 

- Trace-Reference 

- Trace-Depth 

- Trace-Event-List 

- Trace-Gollection-Entity 

The following AVPs may also be included in the Trace-Data AVP: 

- Trace-Interface-List: if this AVP is not present, trace report generation is 
requested for all interfaces listed in 3GPP TS 32.422 [32] 

- Trace-NE-Type-List, with the only allowed value being "PDN GW (3)". If 
this AVP is not included, trace activation in PDN GW is required. 


MSISDN 


Subscription-ID 





This AVP shall contain the MSISDN of the UE and shall be sent only if it is 
available. 


Session time 


Session- 
Timeout 





If the authorization succeeded, then this IE shall contain the time this 
authorization is valid for. 


Permanent 
User Identity 


IVIobile-Node- 
Identifier 





This information element shall be present if NBIVI is used. It shall contain an 
AAA/HSS assigned identity (i.e. IIVISI in EPC root NAI format as defined in 
3GPP TS 23.003 [14]) to be used by the IVIAG in subsequent PBUs as the 
IVIN-ID identifying the user in the EPS network. 


Serving GW 
Address 


IVIIP6-Agent- 
Info 





This AVP shall be used only in chained S2b-S8 cases and it shall be sent 
only if the Result-Code AVP is set to DIAMETER SUCCESS. 


UE Charging 
Data 


3GPP- 

Gharging- 

Characteristics 





This information element contains the type of charging method to be applied 
to the user (see 3GPP TS 29.061 [31]). 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 



7.1.2.1.2 



3GPP AAA Server Detailed Behaviour 



On receipt of the DER message, the 3GPP AAA Server shall check that the user data exists in the 3GPP AAA Server. If 
not, the 3GPP AAA Server shall use the procedures defined for the SWx interface to obtain access authentication and 
authorization data. 

If the HSS returns DIAMETER_ERROR_USER_UNKWNOWN, the 3GPP AAA Server shall return the same error to 
the ePDG. 

If the HSS indicates that the user is currently being served by a different 3GPP AAA Server, the 3GPP AAA Server 
shall respond to the ePDG with the Result-Code set to DIAMETER_REDIRECT_INDICATION and Redirect-Host set 
to the Diameter identity of the 3GPP AAA Server currently serving the user (as indicated in the 3GPP-AAA-Server- 
Name AVP returned in the SWx authentication response from the HSS). 

Otherwise, the 3GPP AAA Server shall proceed with the authentication and authorization procedure. The 3GPP AAA 
Server shall use the procedures defined in SWx interface to obtain authorization data from HSS. 

If the user does not have non-3GPP access subscription, then 3GPP AAA Server shall respond to the non-3GPP GW 
with Experimental-Result-Code DIAMETER_ERROR_USER_NO_NON_3GPP_SUBSCRIPTION. 

If a Visited- Network-Identifier is present in the request and if the user is not allowed to roam in the visited network, 
then the 3GPP AAA Server shall return Experimental-Result-Code set to 
DIAMETER_ERROR_ROAMING_NOT_ALLOWED. 

Otherwise the 3GPP AAA Server shall run EAP-AKA as specified in 3GPP TS 33.402 [19]. Exceptions to the cases 
specified here shall be treated by 3GPP AAA Server as error situations, the Result-Code shall be set to 
DIAMETER_UNABLE_TO_COMPLY and, therefore, no authentication information shall be returned. 

Upon receiving the authnetication and authorization request from the ePDG, the 3GPP AAA Server marks the trust 
relationship as "untrusted" with the User Identity. If the 3GPP AAA Server detects that an S6b session already exists for 
this UE and the S6b session was established as a result of an authentication request for DSMIPv6, the 3GPP AAA 
Server shall send the trust relationship to the PDN GW as specified in clause 9.1.2.1. 
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Once authentication is successfully completed, the 3GPP AAA Server shall perform the following authorization 
checking (if there is an error in any of the steps, the 3GPP AAA Server shall stop processing and return the 
corresponding error code): 

1) Check if the user is barred to use the non 3GPP Access. If it is so, then the Result-Code shall be set to 
DIAMETER_AUTHORIZATION_REJECTED 

2) Check whether the user is barred to use the subscribed APNs. If it is so, Result-Code shall be set to 
DIAMETER_AUTHORIZATION_REJECTED. 

3) Check if there was request for an APN received. If not, AAA Server shall check, whether the user already has an 
active PDN connection to the default APN. If it is so, the Result-Code shall be set to 

DIAMETER_UNABLE_TO_COMPLY. Otherwise, the default APN of the user is selected to be used during the 
actual authentication and authorization procedure. 

4) Check if user has a subscription for the requested APN. If not, Experimental-Result-Code shall be set to 
DIAMETER_ERROR_USER_NO_APN_SUBSCRIPTION 

5) If present, check the flags of the received MIP6-Feature-Vector AVP: The evaluation of the flags is executed 
only in the first authentication and authorization procedure for the user after an initial attach or handover, in all 
the subsequent procedures, the AAA Server shall insert the same values. 

- If the MIP6-INTEGRATED flag is set and the 3GPP AAA server has authorized IKEv2 Home Agent 
assignment, the 3GPP AAA server shall include the Home Agent addresses in the APN-Configuration AVP 
in the response and the MIP6-Feature-Vector AVP with the MIP6-INTEGRATED flag set. If the HA 
assignment via IKEv2 is not used, the MIP6-Feature-Vector AVP with the MIP6-INTEGRATED flag not set 
shall be sent. 

- The PMIP6_SUPPORTE and/or GTPv2_SUPPORTED D flag indicates to the 3GPP AAA server whether 
the ePDG supports NBM or not. As specified in 3GPP TS 23.402 [3], based on the information it has 
regarding the UE (see 3GPP TS 24.302 [26]), local/home network capabilities and local/home network 
policies, the 3GPP AAA server may perform mobility mode selection. If the 3GPP AAA server decides that 
NBM should be used, the PMIP6_SUPPORTED and GTPv2_SUPPORTED flags shall be set in the response 
to indicate the NBM support of the UE to the ePDG. If only the PMIP6_SUPP0RTED or the 
GTPv2_SUPP0RTED flag is present in the response, the ePDG shall assume that this also indicates the 
NBM support of the UE to the ePDG and the ePDG may select any S2b protocol variant (PMIPv6 or 
GTPv2). If the 3GPP AAA server decides that a local IP address should be assigned, the 
ASSIGN_LOCAL_IP flag shall be set in the response to indicate to the ePDG that a local IP address should 
be assigned. 

NOTE: When selecting DSMIPv6, the AAA server assumes that the ePDG has the capability to assign a local IP 
address to the UE. 

- The 3GPP AAA server shall not set the PMIP6_SUPPORTED/GTPv2_SUPPORTED and 
ASSIGN_LOCAL_IP flags both at the same time in the response. 

Upon successful authentication and authorization, the 3GPP AAA Server shall return user data relevant to the APN as 
received from the HSS. The Result-Code shall be set to DIAMETER_SUCCESS. 

Exceptions to the cases specified here shall be treated by 3GPP AAA Server as error situations, the Result-Code shall 
be set to DIAMETER_UNABLE_TO_COMPLY and, therefore, no authorization information shall be returned. 

7.1 .2.1 .3 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy shall be required to handle roaming cases in which the ePDG is in the VPLMN. The 3GPP AAA 
Proxy shall act as a stateful proxy with the following additions. 
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On receipt of the first authentication and authorization request, the 3GPP AAA Proxy shall check locally configured 
information whether users from the HPLMN are allowed to activate a PDN connection from the non-3GPP access 
network via this (V)PLMN. If not, the Experimental-Result-Code shall be set to 
DIAMETER_ERROR_ROAMING_NOT_ALLOWED and the authentication response shall be sent to the ePDG. 

On receipt of the authentication and authorization answer that completes a successful authentication, the 3GPP AAA 
Proxy 

may check locally configured information about using the chained S8-S2b option towards the given HPLMN. If 
chaining is required, the 3GPP AAA Proxy shall select a Serving GW from its network configuration database 
and shall include the Serving GW address in the response. 

shall check locally configured information for the maximum allowed static QoS parameters valid for visitors 
from the given HPLMN and modify the QoS parameters received from the 3GPP AAA Server, to enforce the 
policy limitations. 

shall record the state of the connection (i.e. Authorization Successful). 

7.1 .2.1 .4 ePDG Detailed Behaviour 

The ePDG shall initiate a new authentication and authorization procedure for each new IKE_SA. Each IKE_SA shall be 
handled in a different session. 

The ePDG shall set flags signalling its capabilities to the same value in all authentication and authorization procedure 
for the same user (include the same MIP6-Feature- Vector). During the second and further authentication and 
authorization procedures, the ePDG shall discard the flag values received from the AAA Server and reuse the values 
received during the first procedure executed for the user. 

For PMIPv6/GTPv2 based S2b, when receiving a Serving GW address in an authentication response, the ePDG shall 
check, whether it has already a Serving GW address stored for the user. 

If it has no Serving GW address available, it shall store the received value and use it as LMA address when 
creating PMIP bindings. 

If it has already a stored Serving GW address value, it shall ignore the received SGW-Address AVP. 

NOTE 1 : In case of untrusted access, there is an authentication session started for all PDN connection setup 

requests of a user. These sessions may invoke different 3GPP AAA Proxies, which in turn may assign 
different Serving GWs to the user. The ePDG behaviour ensures that in spite of this possibility, the same 
Serving GW is used for all PDN connections of the user. 

NOTE 2: The ePDG knows if NBM is used or if a local IP address is assigned based on the flags in the MIP6- 
Feature- Vector or based on preconfigured information. If the PMIP6_SUPPORTED and/or the 
GTPv2_SUPPORTED flag are set in the MIP6-Feature-Vector received from the 3GPP AAA Server, the 
ePDG knows that NBM is used. 

For PMIPv6/GTPv2 based S2b, the ePDG shall utilize the downloaded APN configuration data to authorize the UE 
requested home address types: IPv4 home address and/or IPv6 home network prefix. 

The ePDG may use the Visited_Network_Identifier to determine the S2b protocol type (PMIPv6 or GTPv2). The ePDG 
may be configured with the S2b protocol variant(s) on a per HPLMN granularity, or may retrieve information regarding 
the S2b protocol variants supported by the PDN GW (PMIPv6 or/and GTPv2) from the Domain Name Service Function 
as described in 3GPP TS 29.303 [34]. 

If GTPv2 is used on S2b and if the Trace-Info AVP including Trace-Data has been received in the authorization 
response, the ePDG shall send a GTPv2 Trace Session Activation message (see 3GPP TS 29.274 [38]) to the PGW to 
start a trace session for the user. 



If DSMIPv6 is used and if ePDG has received the PGW identity in form of the FQDN from the 3GPP AAA server, then 
the ePDG may obtain the IP address of the Home Agent functionality of that PGW as described in 3GPP TS 29.303 

[34]. 
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7.1.2.2 



Authorization Procedures 



7.1.2.2.1 



General 



This procedure shall be used between the ePDG and 3GPP AAA Server and Proxy. It shall be invoked by the ePDG, 
upon receipt of a valid Re-Authorization Request message from the 3GPP AAA Server (see section 7.1.2.5). 

This procedure shall be used by the ePDG to update the previously provided authorization parameters. This may happen 
due to a modification of the subscriber profile in the HSS (for example, removal of a specific APN associated with the 
subscriber, or change of the identity of a dynamically allocated PDN GW, see subclause 8. 1 .2.3). 

This procedure is mapped to the Diameter command codes AA-Request (AAR) and AA- Answer (AAA) specified in 
RFC 4005 [4]. Information element contents for these messages are shown in tables 7.1.2.2.1/1 and 7.1.2.2.1/2. 

Table 7.1.2.2.1/1 : SWm Authorization Request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


Diameter 
Session ID 


Session-Id 


M 


This information element shall identify the session uniquely. 


Request Type 


Auth-Request- 
Type 


M 


This information element shall contain the type of request. It shall have the 
value AUTHORIZE ONLY. 
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Table 7.1.2.2.1/2: SWm Authorization Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15], and 
shall be formatted as defined in 3GPP TS 23.003 [14.] 


Diameter 
Session ID 


Session-Id 


M 


This information element shall identify the session uniquely. 


Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE_ONLY. See IETF RFC 4072 [5]. 


Registration 
Result 


Result-Code/ 
Experimental 
Result Code 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol or as per in NASREQ. 


UE IPv4 Home 
Address 


PMIP6-IPV4- 
Home-Address 





If the authorization succeeded, and the user has an IPv4-HoA statically 
defined as part of his profile data, then this IE may be present. It shall 
contain the IPv4-HoA allocated and assigned to the UE. 


APN and PGW 
Data 


APN- 
Configuration 


C 


This information element shall only be sent if the Result-Code AVP is set to 

DIAMETER_SUCCESS. 

APN-Configuration is a grouped AVP, defined in 3GPP TS 29.272 [29]. 

When NBIVI is used, the following information elements per APN may be 

included: 

-APN 

-APN-AMBR 

- Authorized 3GPP QoS profile 

- Statically allocated User IP Address (IPv4 and/or IPv6) 

- Allowed PDN types 

- PDN GW identity 

- PDN GW allocation type 

- VPLMN Dynamic Address Allowed 

- Visited Network Identifier 

When local IP address assignment is used, this AVP shall only be present if 
IKEv2 based Home Agent discovery is used and 

- if the PDN connection was active in case of HO, or 

- if there is static PDN GW allocated to the UE's subscribed APN. 

In these cases, the following information elements shall be included: 

- HA-APN 

- PDN GW identity 


Trace 
information 


Trace- Info 


c 


This AVP shall be included if the subscriber and equipment trace has been 
activated for the user in the HSS and signalling based activation is used to 
download the trace activation from the HSS to the ePDG. 

Only the Trace-Data AVP shall be included if trace activation is requested. 
Only the Trace- Reference AVP shall be included if trace deactivation is 
requested. 

If the Trace-Data AVP is included, it shall contain the following AVPs: 

- Trace-Reference 

- Trace-Depth 

- Trace-Event-List 

- Trace-Collection-Entity 

The following AVPs may also be included in the Trace-Data AVP: 

- Trace-Interface-List: if this AVP is not present, trace report generation is 
requested for all interfaces listed in 3GPP TS 32.422 [32] 

- Trace-NE-Type-List, with the only allowed value being "PDN GW (3)". If 
this AVP is not included, trace activation in PDN GW is required. 


MSISDN 


Subscription-ID 


c 


This AVP shall contain the MSISDN of the UE and shall be sent only if it is 
available. 


UE Charging 
Data 


3GPP- 

Charging- 

Characteristics 





If present, this information element shall contain the type of charging method 
to be applied to the user (see 3GPP TS 29.061 [31]). 


Session time 


Session- 
Timeout 


c 


If the authorization succeeded, then this IE shall contain the time this 
authorization is valid for. 
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7.1 .2.2.2 3GPP AAA Server Detailed Behaviour 

The 3GPP AAA Server shall process the steps in the following order (if there is an error in any of the steps, the 3GPP 
AAA Server shall stop processing and return the corresponding error code): 

1) Check that the user exists in the 3GPP AAA Server. The check shall be based on Diameter Session-id. If not 
Experimental-Result-Code shall be set to DIAMETER_ERROR_USER_UNKNOWN. 

2) Check whether the user is allowed to access the APN. If not, Result-Code shall be set to 
DIAMETER_AUTHORIZATION_REJECTED. 

3) The 3GPP AAA Server shall return user data relevant to the APN as received from the HSS. The Result-Code 
shall be set to DIAMETER_SUCCESS. 

Once the Authentication and Authorization procedure successfully finishes, the 3GPP AAA Server shall download, 
together with authentication data, the list of authorized APNs and the authorized mobility protocols in the authentication 
and authorization response from the HSS (see SWx procedure in Section 8.1.2.1). 

Exceptions to the cases specified here shall be treated by 3GPP AAA Server as error situations, the Result-Code shall 
be set to DIAMETER_UNABLE_TO_COMPLY and, therefore, no authorization information shall be returned. 

7.1 .2.2.3 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy shall be required to handle roaming cases in which the ePDG is in the VPLMN. The 3GPP AAA 
Proxy shall act as a state ful proxy, with the following extensions. 

On receipt of the authorization answer, the 3GPP AAA Proxy: 

Shall check locally configured information for the maximum allowed static QoS parameters valid for visitors 
from the given HPLMN and modify the QoS parameters received from the 3GPP AAA Server, to enforce the 
policy limitations. 

Shall record the state of the connection (i.e. Authorization Successful). 

7.1.2.2.4 ePDG Detailed Behaviour 

The ePDG shall initiate the authorization procedure after successfully completing the authentication of the user. The 
ePDG shall initiate a separate authorization session for each IKE_SA of the user. 

If NBM is used, at successful completion of the procedure, the ePDG shall store the APN configuration data received 
from the 3GPP AAA Server. The ePDG shall utilize these data to authorize the requested home address types: IPv4 
home address and/or IPv6 home network prefix. 

NOTE: The user will be allowed to create PDN connections only to the subscribed APNs and use the address 
types that are allowed by the subscribed PDN types. 

Upon receiving the authorization response: 

If NBM is used and if any other Result-Code than DIAMETER_SUCCESS was received in the response, the 
ePDG shall release the corresponding PDN connection (PMIPv6 binding or GTPv2 tunnel) and IKE_S A of the 
user. 

- IfDSMIPv6isused, 

- If any other Result-Code than DIAMETER_SUCCESS was received, the ePDG shall release the 
corresponding IKE_S A of the user. 

- If the Result-Code DIAMETER_SUCCESS was received in the response, the ePDG shall update the 
previously provided authorization parameters. 

NOTE: The ePDG knows if NBM is used or if a local IP address is assigned based on the flags in the MIP6- 
Feature-Vector received during the initial authentication and authorization procedure or based on 
preconfigured information. If the PMIP6_SUPP0RTED and/or the GTPv2_SUPPORTED flag are set in 
the MIP6-Feature-Vector received from the 3GPP AAA Server, the ePDG knows that NBM is used. 
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If GTPv2 is used on S2b and if the Trace-Info AVP including Trace-Data has been received in the authorization 
response, the ePDG shall send a GTPv2 Trace Session Activation message (see 3GPP TS 29.274 [38]) to the PGW to 
start a trace session for the user. If the Trace-Info AVP including Trace-Reference (directly under the Trace-Info) has 
been received in the authorization response, the ePDG shall send a GTPv2 Trace Session Deactivation message to the 
PGW to stop the ongoing trace session, identified by the Trace-Reference. For details, see 3GPP TS 32.422 [32]. 

If DSMIPv6 is used and if ePDG has received the PGW identity in form of the FQDN from the 3GPP AAA server, then 
the ePDG may obtain the IP address of the Home Agent functionality of that PGW as described in 3GPP TS 29.303 
[34]. 



7.1.2.3 



ePDG Initiated Session Termination Procedures 



7.1.2.3.1 



General 



The SWm reference point allows the ePDG to inform the 3GPP AAA Server/Proxy about the termination of an IKE_S A 
between UE and ePDG, and that therefore the mobility session established on the ePDG for all associated PDN 
connections are to be removed. 

The SWm Session Termination Request procedure shall be initiated by the ePDG to the 3GPP AAA Server which shall 
remove associated non-3GPP Access information. The AAA Server shall then return the SWm Session Termination 
Answer containing the result of the operation. These procedures are based on the reuse of Diameter Base IETF RFC 
3588 [7] STR and STA commands 

Table 7.1.2.3.1/1 : SWm Session Termination Request 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


Termination 
Cause 


Termination- 
Cause 


M 


This information element shall contain the reason for the disconnection. 



Table 7.1.2.3.1/2: SWm Session Termination Answer 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code 


M 


This IE shall contain the result of the operation. 



7.1.2.3.2 



3GPP AAA Server Detailed Behavior 



Upon reception of the Session Termination Request message from the ePDG, the 3GPP AAA Server shall check that 
there is an ongoing session associated to the two parameters received (Session-Id and User-Name). 

If an active session is found and it belongs to the user identified by the User-Name parameter, the 3GPP AAA Server 
shall release the session resources associated to the specified session and a Session Termination Response shall be sent 
to the ePDG, indicating DIAMETER_SUCCESS. 

Otherwise, the 3GPP AAA Server returns a Session Termination Response with the Diameter Error 
DIAMETER UNKNOWN SESSION ID. 



7.1.2.3.3 



3GPP AAA Proxy Detailed Behavior 



The 3GPP AAA Proxy is required to handle roaming cases in which the ePDG is located in the VPLMN. The 3GPP 
AAA Proxy shall act as a stateful proxy. 

On receipt of the Session Termination Request message from the ePDG, the 3GPP AAA Proxy shall route the message 
to the 3GPP AAA Server. 
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On receipt of the Session Termination Answer message from the 3GPP AAA Server, the 3GPP AAA Proxy shall route 
the message to the ePDG, and it shall release any local resources associated to the specified session only if the result 
code is set to DIAMETER_SUCCESS. 



7.1.2.4 



3GPP AAA Server Initiated Session Termination Procedures 



7.1.2.4.1 



General 



The SWm reference point shall allow the 3GPP AAA Server to request the termination of an IKE_S A between UE and 
ePDG, and therefore the termination of all mobility session established for all associated PDN connections. 

If the user has several accesses (IKE_S A) active at an ePDG, a separate Session Termination procedure shall be 
initiated for each of them. 

The procedure shall be initiated by the 3GPP AAA Server. This procedure is based on the reuse of NASREQ IETF RFC 
4005 [4] ASR, ASA, STR and STA commands. 

Table 7.1.2.4.1/1 : SWm Abort Session Request 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


Auth-Session- 
State 


Auth-Session- 
State 





If present, this information element indicates to the ePDG whether the 3GPP 
AAA Server requires an STR message. 



Table 7.1.2.4.1/2: SWm Abort Session Answer 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code 


M 


This IE shall contain the result of the operation. 



Table 7.1.2.4.1/3: SWm Session Termination Request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Termination- 
Cause 


Termination- 
Cause 


M 


This information element shall contain the reason why the 
session was terminated. It shall be set to 
"DIAMETER_ADMINISTRATIVE" to indicate that the 
session was terminated in response to an ASR message. 



Table 7.1.2.4.1/4: SWm Session Termination Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result-Code 


Result-Code 


M 


This IE shall contain the result of the operation. 



7.1.2.4.2 



3GPP AAA Server Detailed Behaviour 



The 3GPP AAA Server shall make use of this procedure to instruct the ePDG to terminate the IKE_S A between UE and 
ePDG. 

In the DSMIPv6 case, the 3GPP AAA Server shall initiate first the detach procedure over the S6b reference point 
towards the PDN GW. When this process has finalized, the 3GPP AAA Server can initiate the termination of the 
IKE_SA towards the ePDG. 

The 3GPP AAA Server shall include the Auth-Session-State AVP in the ASR command with a value of 
NO_STATE_MAINTAINED if it does not require a STR from the ePDG. If it does require a STR from the ePDG, the 
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3GPP AAA Server shall either omit the Auth-Session-State AVP from the ASR command or include the Auth-Session- 
State AVP in the ASR command with a value of STATE_MAINTAINED. 

On receipt of the ASR command, the ePDG shall check if there is an ongoing session associated with the received 
Session-Id. If an active session is found and it belongs to the user identified by the User-Name parameter, the ePDG 
shall terminate the associated IKE_SA between UE and ePDG and return an ASA to the 3GPP AAA Server with the 
Result-Code to DIAMETER_SUCCESS. Otherwise, the ePDG shall return an ASA to the 3GPP AAA Server with the 
Result-Code set to DIAMETER_UNKNOWN_SESSION_ID. 

On receipt of the ASA with a Result-Code of DIAMETER_SUCCESS, the 3GPP AAA Server shall release any local 
resources associated with the specified session. 

If required by the 3GPP AAA Server, the ePDG shall send an STR with the Termination-Cause set to 
DIAMETER_ADMINISTRATIVE. The 3GPP AAA Server shall set the Result-Code to DIAMETER_SUCCESS and 
return the STA command to the ePDG. 

7.1 .2.4.3 3GPP AAA Proxy Detailed Behaviour 

When the 3GPP AAA Proxy receives the ASR from the 3GPP AAA Server it shall route the request to the ePDG. 

If the 3GPP AAA Proxy requires an STR but the 3GPP AAA Server does not, the 3GPP AAA Proxy may override the 
value of the Auth-Session-State in the ASR and set it to STATE_MAINTAINED. In this case, the 3GPP AAA Proxy 
shall not forward the STR received from the ePDG onto the 3GPP AAA Server and shall return an STA command to 
the ePDG with the Result-Code set to DIAMETER_SUCCESS. The 3GPP AAA Proxy shall not override the value of 
the Auth-Session-State AVP under any other circumstances. 

On receipt of the ASA message with Diameter Result Code set to DIAMETER_SUCCESS, the 3GPP AAA Proxy shall 
route the successful response to the 3GPP AAA Server and shall release any local resources associated with the 
session. 

When the 3GPP AAA Proxy receives the STR from ePDG, it shall route the request to the 3GPP AAA Server. On 
receipt of the STA message, the 3GPP AAA Proxy shall route the response to the ePDG. 

7.1.2.5 Authorization Information Update Procedures 

7.1.2.5.1 General 

This procedure shall be used between the 3GPP AAA Server and the ePDG for the purpose of modifying the previously 
provided authorization parameters. This may happen due to a modification of the subscriber profile in the HSS (for 
example change of the identity of a dynamically allocated PDN GW, see subclause 8.1.2.3). 

This procedure shall be performed in two steps: 

The 3GPP AAA Server shall issue an unsolicited re-authorization request towards the ePDG. Upon receipt of 
such a request, the ePDG shall respond to the request and indicate the disposition of the request. This 
procedure is based on the Diameter command codes Re-Auth-Request and Re-Auth- Answer specified in 
IETF RFC 3588 [7]. Information element contents for these messages shall be as shown in tables 7.1.2.5.1/1 
and 7. 1.2.5. 1/2. 

Upon receiving the re-authorization request, the ePDG shall immediately invoke the authorization procedure 
specified in 7.1.2.2 for the session indicated in the request. 

This procedure is mapped to the Diameter command codes Re-Auth-Request (RAR) and Re-Auth- Answer (RAA) 
specified in IETF RFC 4005 [4]. Information element contents for these messages are shown in tables 7.1.2.2.1/1 and 
7.1.2.2.1/2. 



£75/ 



3GPP TS 29.273 version 10.7.0 Release 10 



63 



ETSI TS 129 273 VI 0.7.0 (2012-10) 



Table 7.1.2.5.1/1: SWm Authorization Information Update Request 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


Re-Auth 
Request Type 


Re-Auth- 
Request-Type 


M 


This IE shall define whether the user is to be authenticated only, authorized 
only or both. AUTHORIZE ONLY shall be set in this case. 


Routing 
Information 


Destination- 
Host 


M 


This information element shall be obtained from the Origin-Host AVP, which 
was included in a previous command received from the trusted non-3GPP 
access. 



Table 7.1.2.5.1/2: SWm Authorization Information Update Answer 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This Information element shall contain the identity of the user. The identity 
shall be represented in NAI form as specified in IETF RFC 4282 [15] and 
shall be formatted as defined in 3GPP TS 23.003 [14]. 


Result 


Result-Code 


M 


This IE shall contain the result of the operation. 



7.1.2.5.2 



3GPP AAA Server Detailed Behaviour 



The 3GPP AAA server shall make use of the re-authorization procedure defined in the Diameter base protocol, IETF 
RFC 3588 [7] to indicate that relevant service authorization information shall be updated in the ePDG. 



7.1.2.5.3 



ePDG Detailed Behaviour 



Upon receipt of the Re-authorization Request message from the 3GPP AAA Server or the 3GPP AAA Proxy, the ePDG 
shall check that there is an ongoing session associated to any of the parameters received in the message (identified by 
the Session-Id AVP and the User-Name AVP). 

If an active session is found, the ePDG shall initiate an authorization procedure for the session identified by the Session- 
Id AVP and the User -Name AVP and a Re-authorization Answer message shall be sent to the 3GPP AAA Server or the 
3GPP AAA Proxy with the Result-Code indicating DIAMETER_SUCCESS. 

If the Session-Id included in the request does not correspond with any active session, or if an active session is found but 
it does not belong to the user identified by the User Name parameter, then an Re-authorization Answer message shall be 
sent to the 3GPP AAA Server or the 3GPP AAA Proxy with the Result-Code indicating 
DIAMETER_UNKNOWN_SESSION_ID. 

Exceptions to the cases specified here shall be treated by ePDG as error situations, the Result-Code shall be set to 
DIAMETER_UNABLE_TO_COMPLY and, therefore, no authorization procedure shall be initiated. 

Table 7.1.2.5.3/1 details the valid result codes that the ePDG can return in the response. 

Table 7.1.2.5.3/1 : Re-authorization Answer valid result codes 



Result-Code AVP value 


Condition 


DIAMETER SUCCESS 


The request succeeded. 


DIAMETER UNKNOWN SESSION ID 


The request failed because the user is not found in ePDG. 


DIAMETER UNABLE TO COMPLY 


The request failed. 
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7.2 Protocol Specification 

7.2.1 General 

The SWm reference point shall be based on Diameter, as defined in IETF RFC 3588 [7] and contain the following 
additions and extensions: 

IETF RFC 4005 [4], which defines a Diameter protocol application used for Authentication, Authorization 
and Accounting (AAA) services in the Network Access Server (NAS) environment. 

IETF RFC 4072 [5], which provides a Diameter application to support the transport of EAP (IETF RFC 3748 
[8]) frames over Diameter. 

IETF RFC 5779 [2], which defines a Diameter extensions and application for PMIPv6 MAG to AAA and 
LMA to AAA interfaces. 

- IETF RFC 5447 [6], which defines Diameter extensions for Mobile IPv6 NAS to AAA interface. 

In the case of an untrusted non-3GPP IP access, the MAG to 3GPP AAA server or the MAG to 3GPP AAA proxy 
communication shall use the MAG to AAA interface functionality defined in IETF RFC 5779 [2] and the NAS to AAA 
interface functionality defined in IETF RFC 5447 [6] . 

The Diameter application for the SWm reference point shall use the Diameter Application Id with value 16777264. 

7.2.2 Commands 

7.2.2.1 Commands for SWm Authentication and Authorization Procedures 

7.2.2.1 .1 Diameter-EAP-Request (DER) Command 

The Diameter-EAP-Request (DER) command, indicated by the Command-Code field set to 268 and the "R" bit set in 
the Command Flags field, is sent from a ePDG to a 3GPP AAA Server/Proxy. The ABNF is based on the one in IETF 
RFC 5779 [2]. 

< Diameter-EAP-Request > ::= < Diameter Header: 268, REQ, PXY, 16777264 > 

< Session-Id > 

{ Auth-Application-Id } 
{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Request-Type } 
{ EAP-Payload } 
[ User-Name ] 
[ RAT-Type ] 
[ Service-Selection ] 
[ MIP6-Feature-Vector ] 
[ QoS-Capability ] 
[ Visited-Network-Identifier ] 
*[ Supported-Features ] 

*[ AVP ] 

7.2.2.1 .2 Diameter-EAP-Answer (DEA) Command 

The Diameter-EAP-Answer (DER) command, indicated by the Command-Code field set to 268 and the "R" bit cleared 
in the Command Flags field, is sent from a 3GPP AAA Server/Proxy to the ePDG. The ABNF is based on the one in 
IETF RFC 5779 [2]. 

< Diameter-EAP-Answer > ::= < Diameter Header: 268, PXY, 16777264> 

< Session-Id > 

{ Auth-Application-Id } 
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{ Auth-Request-Type } 

{ Result-Code } 

{ Origin-Host } 

{ Origin-Realm } 

{ EAP-Payload } 

[ EAP -Master-Session-Key ] 

[ APN-OI-Replacement ] 

[ APN-Configuration ] 

[ MIP6-Feature-Vector ] 

[ Mobile-Node-Identifier ] 

[ Trace-Info ] 

[ Subscription-ID ] 

[ Session-Timeout ] 

[ MIP6-Agent-Info ] 

[ 3GPP-Charging-Characteristics ] 

*[ Redirect-Host ] 

*[ Supported-Features ] 

*[ AVP ] 

7.2.2.1 .3 Diameter-AA-Request (AAR) Command 

The AA-Request (AAR) command, indicated by the Command-Code field set to 265 and the "R" bit set in the 
Command Flags field, is sent from a ePDG to a 3GPP AAA Server/Proxy. 

<AA-Request> ::= < Diameter Header: 265, REQ, PXY, 16777264 > 

< Session-Id > 
{ Auth-Application-Id } 
{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Request-Type } 
[ User-Name ] 

*[ AVP ] 

7.2.2.1 .4 Diameter-AA-Answer (AAA) Command 

The AA- Answer (AAA) command, indicated by the Command-Code field set to 265 and the "R" bit cleared in the 
Command Flags field, is sent from 3GPP AAA Server/Proxy to a ePDG. 
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<AA-Answer> ::= < Diameter Header: 265, REQ, PXY, 16777264 > 

< Session-Id > 

{ Auth-Application-Id } 

{ Auth-Request-Type } 

{ Result-Code } 

{ Origin-Host } 

{ Origin-Realm } 

[ User-Name ] 

[ APN-Configuration ] 

[ Trace-Info ] 

[ Subscription-ID ] 

[ 3GPP-Charging-Characteristics ] 

[ Session-Timeout ] 

*[ AVP ] 

7.2.2.2 Commands for ePDG Initiated Session Termination 

7.2.2.2.1 Session-Termination-Request (STR) Command 

The Session-Termination-Request (STR) command, indicated by the Command-Code field set to 275 and the "R" bit set 
in the Command Flags field, is sent from a ePDG to a 3GPP AAA Server/Proxy. The ABNF is based on the one in 
IETF RFC 3588 [7], and is defined as follows: 

< Session-Termination-Request > ::= < Diameter Header: 275, REQ, PXY, 16777264 > 

< Session-Id > 

{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Application-ld } 
{ Termination-Cause } 
[ User-Name ] 

*[ AVP ] 

7.2.2.2.2 Session-Termination-Answer (STA) Command 

The Session-Termination- Answer (STA) command, indicated by the Command-Code field set to 275 and the "R" bit 
clear in the Command Flags field, is sent from a 3GPP AAA Server/Proxy to a ePDG. The ABNF is based on the one in 
IETF RFC 3588 [7], and is defined as follows: 

< Session-Termination-Answer > ::= < Diameter Header: 275, PXY, 16777264 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 

*[ AVP ] 

7.2.2.3 Commands for 3GPP AAA Server Initiated Session Termination 
7.2.2.3.1 Abort-Session-Request (ASR) Command 

The Abort-Session-Request (ASR) command shall be indicated by the Command-Code field set to 274 and the "R" bit 
set in the Command Flags field, and shall be sent from a 3GPP AAA Server/Proxy to an ePDG. The ABNF is based on 
that in IETF RFC 4005 [4]. 

< Abort-Session-Request > ::= < Diameter Header: 274, REQ, PXY, 16777264 > 

< Session-Id > 

{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Destination-Host } 



£75/ 



3GPP TS 29.273 version 1 0.7.0 Release 1 67 ETSI TS 1 29 273 V1 0.7.0 (201 2-1 0) 

{ Auth- Application-Id } 

[ User-Name ] 

[ Auth-Session-State ] 

*[ AVP ] 

7.2.2.3.2 Abort-Session-Answer (ASA) Command 

The Abort-Session- Answer (ASA) command shall be indicated by the Command-Code field set to 274 and the "R" bit 
cleared in the Command Flags field, and shall be sent from a ePDG to a 3GPP AAA Server/Proxy. The ABNF is based 
on that in IETF RFC 4005 [4]. 

< Abort-Session-Answer > ::= < Diameter Header: 274, PXY, 16777264 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 

*[ AVP ] 

7.2.2.3.3 Session-Termination-Request (STR) Command 

The Session-Termination-Request (STR) command, indicated by the Command-Code field set to 275 and the "R" bit set 
in the Command Flags field, is sent from an ePDG to a 3GPP AAA Server/Proxy. The Command Code value and 
ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Request command. 

<Session-Termination-Request> ::= < Diameter Header: 275, REQ, PXY, 16777264 > 

< Session-Id > 

{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth-Application-Id } 
{ Termination-Cause } 
[ User-Name ] 

*[ AVP ] 

7.2.2.3.4 Session-Termination-Answer (STA) Command 

The Session-Termination- Answer (STA) command, indicated by the Command-Code field set to 275 and the "R" bit 
cleared in the Command Flags field, is sent from a 3GPP AAA Server/Proxy to an ePDG. The Command Code value 
and ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Answer command. 

<Session-Termination-Answer> ::= < Diameter Header: 275, PXY, 16777264 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 
*[ AVP ] 

7.2.2.4 Commands for Authorization Information Update 

7.2.2.4.1 Re-Auth-Request (RAR) Command 

The Re-Auth-Request (RAR) command shall be indicated by the Command-Code field set to 258 and the "R" bit set in 
the Command Flags field, and shall be sent from a 3GPP AAA Server/Proxy to a ePDG. The ABNF is based on the one 
in IETF RFC 4005 [4] and is defined as follows. 

< Re-Auth-Request > ::= < Diameter Header: 258, REQ, PXY, 16777264 > 

< Session-Id > 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 
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{ Destination-Host } 
{ Auth-Application-Id } 
{ Re-Auth-Request-Type 

[ User-Name ] 



7.2.2.4.2 



*[ AVP ] 

Re-Auth-Answer (RAA) Command 



The Re-Auth-Answer (RAA) command shall be indicated by the Command-Code field set to 258 and the "R" bit 
cleared in the Command Flags field, and shall be sent from a ePDG to a 3GPP AAA Server/Proxy. The ABNF is based 
on the one in IETF RFC 4005 [4] and is defined as follows. 



< Re-Auth-Answer > ::= 



< Diameter Header: 258, PXY, 16777264 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 
[ User-Name ] 

*[ AVP ] 



7.2.3 Information Elements 



7.2.3.1 



General 



The following table describes the Diameter AVPs defined for the SWm interface protocol for untrusted non-3GPP 
access, their AVP Code values, types, possible flag values and whether or not the AVP may be encrypted. 

Table 7.2.3.1/1 : Diameter SWm AVPs 











AVP Flag rules 




Attribute Name 


AVP 
Code 


Section 
defined 


Value Type 


Must 


May 


Should 
not 


Must 
not 


May 
Encr. 


APN-Configuration 


1430 


8.2.3.7 


Grouped 


M 






V 


No 


Mobile-Node-ldentifier 


506 


5.2.3.2 


OctetString 


M 






V 


No 


MIP6-Feature-Vector 


124 


5.2.3.3 


Unsigned64 


M 






V 


No 


QoS-Capability 


578 


9.2.3.2.4 


Grouped 


M 






V 


No 


RAT-Type 


1032 


5.2.3.6 


Enumerated 


M,V 


P 






Y 


Visited-Network- 
Identifier 


600 


9.2.3.1.2 


OctetString 


M,V 








No 


Trace-Info 


1505 


8.2.3.1.3 


Grouped 


V 






M 


No 


Service-Selection 


493 


5.2.3.5 


UTFSString 


M 






V 


No 



The following table describes the Diameter AVPs re-used by the SWm interface protocol from existing Diameter 
Applications, including a reference to their respective specifications and when needed, a short description of their use 
within SWm. Other AVPs from existing Diameter Applications, except for the AVPs from Diameter Base Protocol, do 
not need to be supported. 
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Table 7.2.3.1/2: SWm re-used Diameter AVPs 



Attribute Name 


Reference 


Comments 


Auth-Request-Type 


IETF RFC 3588 [7] 




Subscription-ID 


IETF RFC 4006 [20] 




EAP-IVIaster-Session-Key 


IETF RFC 4072 [5] 




EAP-Payload 


IETF RFC 4072 [5] 




Re-Auth-Request-Type 


IETF RFC 3588 [7] 




Session-Timeout 


IETF RFC 3588 [7] 




User-Name 


IETF RFC 3588 [7] 




IVIIPe-Agent-lnfo 


IETF RFC 5447 [6] 




APN-OI-Replacement 


3GPP TS 29.272 


29 






Supported-Features 


3GPP TS 29.229 


24 






Feature-List-ID 


3GPP TS 29.229 


24 




See section 7.2.3.2 


Feature-List 


3GPP TS 29.229 


24 




See section 7.2.3.3 


3GPP-Charging-Characteristics 


3GPPTS 29.061 


31 







Only those AVP initially defined in this reference point and for this procedure are described in the following 
subchapters. 

7.2.3.2 Feature-List-ID AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. For this release, the Feature-List-ID AVP value shall be set 
to 1 for the SWm application. 



7.2.3.3 



Feature-List AVP 



The syntax of this AVP is defined in 3GPP TS 29.229 [24]. A null value indicates that there is no feature used by the 
SWm apphcation. 

NOTE: There are no SWm features defined for this release. 



7.2.4 Session Handling 

The Diameter protocol between the ePDG and the 3GPP AAA Server or the 3GPP AAA Proxy shall always keep the 
session state, and use the same Session-Id parameter for the lifetime of each Diameter session. 

A Diameter session shall identify 

a PDN Connection of a given user, if NBM is used 

a user, if DSMIPv6 is used. 

In order to indicate that the session state is to be maintained, the Diameter client and server shall not include the Auth- 
Session-State AVP, either in the request or in the response messages (see IETF RFC 3588 [7]). 



8 SWx Description 

8.1 Functionality 
8.1.1 General 

The SWx reference point is defined between the 3GPP AAA Server and the HSS. The description of the reference point 
and its functionahty is given in 3GPP TS 23.402 [3]. 
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The SWx reference point is used to authorize the UE and to transport NBM related mobility parameters when NBM is 
used to establish connectivity to the EPC. 

The SWx is used to authenticate and authorize the UE when the S2a, S2b or S2c reference points are used to connect to 
EPC. This reference point is also used to update the HSS with the PDN-GW address information. Additionally, this 
reference point may be used to retrieve and update other mobility related parameters including static QoS profiles for 
non-3GPP accesses. 

Additional requirements for the SWx interface can be found in section 12 of 3GPP TS 23.402 [3]. 

8.1.2 Procedures Description 
8.1.2.1 Authentication Procedure 

8.1.2.1.1 General 

This procedure is used between the 3GPP AAA Server and the HSS. The procedure is invoked by the 3GPP AAA 
Server when a new set of authentication information for a given subscriber is to be retrieved from an HSS. This can 
happen for example, when a new trusted or untrusted non 3GPP/IP access subscriber has accessed the 3GPP AAA 
Server for authentication or when a new set of authentication information is required for one of the subscribers already 
registered in the 3GPP AAA server. The procedure shall be invoked by 3GPP AAA Server when it detects that the 
VPLMN or access network has changed. 
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Table 8.1.2.1.1/1 : Authentication request 



Information element 
name 


Mapping to 
Diameter AVP 


Cat. 


Description 


IIVISI 


User-Name 
(See IETF RFC 
3588 [7]) 


M 


This information element shall contain the user IIVISI, formatted 
according to 3GPP TS 23.003 [14], clause 2.2. 


Visited Network 
Identifier 


Visited- 

Network- 

Identifler 


C 


This IE shall contain the identifier that allows the home network to 
identify the Visited Network. The 3GPP AAA Server shall include this 
information element when received from signalling across the SWd. 


Number 
Authentication Items 


SIP-Number- 
Auth-ltems 


M 


This information element shall indicate the number of authentication 
vectors requested 


Authentication Data 


SIP-Auth-Data- 
Item 


C 


See tables 8.1 .2.1 .1/2 and 8.1 .2.1 .1/3 for the contents of this 
information element. The content shown in table 8.1 .2.1 .1/2 shall be 
used for a normal authentication request; the content shown in table 
8.1 .2.1 .1/3 shall be used for an authentication request after 
synchronization failure. 


Routing Information 


Destination- 
Host 


C 


If the 3GPP AAA Server knows the HSS name, this AVP shall be 
present. 

This information is available if the 3GPP AAA Server already has the 
HSS name stored. The HSS name shall be obtained from the Origin- 
Host AVP, which is received from a previous command from the HSS 
or from the SLF; 

otherwise only the Destination-Realm is included so that it is 
resolved to an HSS address in an SLF-like function. Once resolved 
the Destination-Host AVP is included with the suitable HSS address 
and it is stored in the 3GPP AAA Server for further usage. 


Access Network 
Identity 


ANID 


c 


This IE shall contain the access network identifier used for key 

derivation at the HSS. (See 3GPP TS 24. 302 [26] for all possible 

values). 

This IE shall be present if the Authentication Method is EAP-AKA". 


Access Type 


RAT-Type 


M 


This IE shall contain the radio access technology that is serving the 
UE. (See 3GPP TS 29.212 [23] for all possible values) 


Terminal Information 


Terminal- 
Information 





This information element shall contain information about the user"s 
mobile equipment. The AVP shall be present only if received from 
the non-3GPP access GW, in authentication and authorization 
request. The AVP shall be transparently forwarded by the 3GPP AAA 
server. 


Supported Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 



Table 8.1.2.1.1/2: Authientication Data content - request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Authentication 
Method 


SIP- 

Authentication- 

Scheme 


M 


This information element shall indicate the authentication method 

It shall contain one of the values EAP-AKA or EAP-AKA'. EAP-AKA' is 

specified in IETF RFC 5448 [27]. 



Table 8.1.2.1.1/3: Authentication Data content - request, synchronization failure 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Authentication 
Method 


SIP- 

Authentication- 

Scheme 


M 


This information element shall indicate the authentication method 
It shall contain one of the values EAP-AKA or EAP-AKA'. 


Authorization 
Information 


SIP- 
Authorization 


M 


This IE shall contain the concatenation of Rand, as sent to the terminal, and 
auts, as received from the terminal. Rand and auts shall both be binary 
encoded. 
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Table 8.1.2.1.1/4: Authentication answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


IMS! 


User-Name 
(See IETF RFC 
3588 [7]) 


M 


This information element shall contain the user IMSI, formatted according to 
3GPP TS 23.003 [14], clause 2.2. 


Number 

Authentication 

Items 


SIP-Number- 
Auth-ltems 


C 


This AVP shall indicate the number of authentication vectors delivered in the 

Authentication Data information element. 

It shall be present when the result is DIAMETER SUCCESS. 


Authentication 
Data 


SIP-Auth-Data- 
Item 


C 


If the SIP-Number-Auth-ltems AVP is equal to zero or it is not present, then 

this AVP shall not be present. 

See table 8.1 .2.1 .1/5 for the contents of this information element. 


3GPP AAA 
Server Name 


3GPP-AAA- 
Server-Name 


c 


This AVP shall contain the Diameter address of the 3GPP AAA Server. 
This AVP shall be sent when the user has been previously authenticated by 
another 3GPP AAA Server and therefore there is another 3GPP AAA Server 
serving the user. 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for SWx errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 



Table 8.1.2.1.1/5: Authentication Data content - response 



Information 
element name 


Mapping to 

Diameter 

AVP 


Cat. 


Description 


Item Number 


SlP-ltem- 
Number 


C 


This information element shall be present in a SIP-Auth-Data-ltem grouped 
AVP in circumstances where there are multiple occurrences of SIP-Auth- 
Data-ltem AVPs, and the order in which they should be processed is 
significant. 

In this scenario, SIP-Auth-Data-ltem AVPs with a low SIP-ltem-Number 
value should be processed before SIP-Auth-Data-ltems AVPs with a high 
SIP-ltem-Number value. 


Authentication 
Method 


SIP- 

Authentication 

Scheme 


M 


This IE shall contain one of the values EAP-AKA or EAP-AKA'. 


Authentication 

Information 

AKA 


SIP- 
Authenticate 


M 


This IE shall contain, binary encoded, the concatenation of the 
authentication challenge RAND and the token AUTN. See 3GPP TS 33.203 
[1 6] for further details about RAND and AUTN. 


Authorization 

Information 

AKA 


SIP- 
Authorization 


M 


This IE shall contain binary encoded, the expected response XRES. See 
3GPP TS 33.203 [1 6] for further details about XRES. 


Confidentiality 

Key 

AKA 


Confidentiality 
-Key 


M 


This information element shall contain the confidentiality key CK or CK'. It 
shall be binary encoded. 


Integrity Key 
AKA 


Integrity-Key 


M 


This information element shall contain the integrity key IK or IK'. It shall be 
binary encoded. 



8.1.2.1.2 



Detailed behaviour 



The HSS shall, in the following order (if there is an error in any of the steps, the HSS shall stop processing and return 
the corresponding error code): 

1 . Check that the user exists in the HSS. If not Experimental-Result-Code shall be set to 
DIAMETER_ERROR_USER_UNKNOWN. 
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2. Check that the user has non-3GPP subscription. If not Experimental-Result-Code shall be set to 
DIAMETER_ERROR_USER_NO_NON_3GPP_SUBSCRIPTON. 

3. If a Visited -Network-Identifier is present, check that the user is allowed to roam in the visited network. If the 
user is not allowed to roam in the visited network, Experimental-Result-Code shall be set to 
DIAMETER_ERROR_ROAMING_NOT_ALLOWED. 

4. Check RAT-Type AVP. If the access type indicates any value that is restricted for the user, then the 
Experimental-Result-Code shall be set to DIAMETER_ERROR_RAT_TYPE_NOT_ALLOWED. 

5. The HSS shall check if there is an existing 3GPP AAA Server already assisting the user 

If there is a 3GPP AAA Server already serving the user, the HSS shall compare the 3GPP AAA server name 
received in the request to the 3GPP AAA Server name stored in the HSS. 

- If they are not identical the HSS shall return the old 3GPP AAA Server to the requester 3GPP AAA Server 
and return an error by setting the Experimental-Result-Code to 
DIAMETER_ERROR_IDENTITY_ALREADY_REGISTERED. 

The requester 3GPP AAA Server, upon detection of a 3GPP AAA Server name in the response assumes that 
the user already has a 3GPP AAA Server assigned, so makes use of Diameter redirect function to indicate 
the 3GPP AAA Server name where to address the authentication request. 

6. The HSS shall check the request type. 

If the request indicates there is a synchronization failure, the HSS shall process AUTS as described in 
3GPP TS 33.203 [16] and return the requested authentication information. The Result-Code shall be set to 
DIAMETER_SUCCESS. 

If the request indicates authentication, the HSS shall generate the authentication vectors for the 
requested authentication method, EAP-AKA or EAP-AKA', as described in 3GPP TS 33.402 [19]. The 
HSS shall download Authentication-Data-Item up to a maximum specified in SIP-Number-Auth-Items 
received in the command Multimedia- Auth-Request. The result code shall be set to 
DIAMETER_SUCCESS. 

If there is no 3GPP AAA Server already serving the user, the HSS shall store the received 3GPP AAA Server 
name. 

Exceptions to the cases specified here shall be treated by HSS as error situations, the Result-Code shall be set to 
DIAMETER_UNABLE_TO_COMPLY. No authentication information shall be returned. 

Origin-Host AVP shall contain the 3GPP AAA Server identity. 

8.1 .2.2 Location Management Procedures 

8.1.2.2.1 General 

According to the requirements described in 3GPP TS 23.402 [3], SWx reference point shall enable: 

Registration of the 3GPP AAA Server serving an authorized trusted or untrusted non-3GPP access user in the 
HSS. 

Retrieval of charging-related information from HSS. 

Deregistration procedure between the 3GPP AAA Server and the HSS. 

Retrieval of subscriber profile from HSS. 

8.1.2.2.2 UE/PDN Registration/DeRegistration Notification 

8.1.2.2.2.1 General 

This procedure is used between the 3GPP AAA Server and the HSS. 
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To register the current 3GPP AAA Server address in the HSS for a given non-3GPP user. This procedure is 
invoked by the 3GPP AAA Server after a new subscriber has been authenticated by the 3GPP AAA Server. 

To de-register the current 3GPP AAA Server address in the HSS for a given non-3GPP user. When the 3GPP 
AAA Server is going to remove the access information for a non-3GPP user (i.e. the STa, SWm, S6b sessions 
are terminated) or when the OCS has initiated a disconnection, the 3GPP AAA Server informs the HSS about an 
ongoing disconnection process and the HSS de-registers the non-3GPP user. 

To download the subscriber profile to the 3GPP AAA Server on demand. This procedure is invoked when for 
some reason the subscription profile of a subscriber is lost. 

To update the HSS with the identity and the PLMN ID of a dynamically allocated PDN GW as a result of the 
first PDN connection establishment associated to an APN. 

Table 8.1.2.2.2.1/1 : Non-3GPP IP Access Registration request 



Information 
element name 


IVIapping to 
Diameter AVP 


Cat. 


Description 


IMSI 


User-Name 
(See IETF RFC 
3588 [7]) 


M 


This information element shall contain the user IMSI and shall be 
formatted according to 3GPP TS 23.003 [14], clause 2.2. 


Server 
Assignment Type 


Server- 

Assignment- 

Type 


M 


This IE shall contain the type of procedure the 3GPP AAA Server 

requests in the HSS. 

When this IE contains REGISTRATION value, the HSS shall perform a 

registration of the non-3GPP user. 

When this IE contains USER DEREGISTRATION / 

ADMINISTRATIVE DEREGISTRATION / AUTHENTICATION FAILURE 

/ AUTHENTICATION_TIMEOUT the HSS shall de-register the non-3GPP 

user. 

When this IE contains AAA_USER_DATA_REQUEST value, the HSS 

shall download the subscriber user profile towards the 3GPP AAA Server 

as part of 3GPP AAA Server initiated profile download request, but no 

registration shall be performed. 

When this IE contains PGW_UPDATE value, the HSS shall check if the 

stored 3GPP AAA server name is the currently registered 3GPP AAA 

server for this same user and shall update the PGW identity for the non- 

3GPP user. 

Any other value shall be considered as an error case. 


Routing 
Information 


Destination- 
Host 


C 


If the 3GPP AAA Server knows the HSS name this AVP shall be present. 
This information is available if the 3GPP AAA Server already has the 
HSS name stored. The HSS name shall be obtained from the Origin-Host 
AVP, which is received from the HSS as part of authentication response; 
otherwise only the Destination-Realm is included so that it is resolved to 
an HSS address in an SLF-like function. Once resolved the 
Destination-Host AVP shall be included with the suitable HSS address 
and it shall be stored in the 3GPP AAA Server for further usage. 


PGW identity 


IVIIP6-Agent- 
Info 


C 


This IE shall contain the identity of the dynamically allocated PDN GW 
and is included if the Server-Assignment-Type is set to PGW UPDATE. 


PGW PLMN ID 


Visited- 

Networl<- 

Identifier 


c 


This IE contains the identity of the PLMN where the PDN-GW was 
allocated, in cases of dynamic PDN-GW assignment. It shall be present 
when the PGW Identity is present and does not contain an FODN. 


Context Identifier 


Context- 
Identifier 





This parameter shall identify the APN Configuration with which the 
reallocated PDN GW shall be correlated, and it may be included if it is 
available and the Server-Assignment-Type is set to PGW UPDATE. 


APN Id 


Service- 
Selection 


c 


This information element shall contain the Network Identifier part of the 
APN, and it shall be included if the Server-Assignment-Type is set to 
PGW UPDATE. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 
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Table 8.1.2.2.2.1/2: Non-3GPP IP Access Registration response 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


IMS! 


User-Name 
(See IETF RFC 
3588 [7]) 


M 


This information element shall contain the user IIVISI and shall be formatted 
according to 3GPP TS 23.003 [14], clause 2.2. 


Registration 
result 


Result-Code / 
Experimental- 
Result 


M 


This IE contains the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for SWx errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 


User Profile 


Non-3GPP- 
User-Data 


C 


This IE shall contain the relevant user profile. Section 8.2.3.1 details the 
contents of the AVP. 

It shall be present when Server-Assignment-Type in the request is equal to 
AAA USER DATA REQUEST or REGISTRATION and the Result-Code is 
equal to DIAMETER SUCCESS. 


3GPP AAA 
Server Name 


3GPP-AAA- 
Server-Name 


C 


This AVP shall contain the Diameter address of the 3GPP AAA Server. 
This AVP shall be present when the user has been previously authenticated 
by another 3GPP AAA Server and therefore there is another 3GPP AAA 
Server serving the user. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 



8.1.2.2.2.2 



Detailed behaviour 



When a new trusted or untrusted non-3GPP IP access subscriber has been authenticated by the 3GPP AAA Server, the 
3GPP AAA Server initiates the registration towards the HSS. The HSS shall, in the event of an error in any of the steps, 
stop processing and return the corresponding error code. 

At reception of the Non-3GPP IP Access Registration, the HSS shall perform (in the following order): 

1 . Check that the user is known. If not Experimental-Result-Code shall be set to 
DIAMETER_ERROR_USER_UNKNOWN. 

2. The HSS shall check if there is an existing 3GPP AAA Server already assisting the user 

If there is a 3GPP AAA Server already serving the user, the HSS shall compare the 3GPP AAA Server name 
received in the request to the 3GPP AAA Server name stored in the HSS. 

- If they are not identical the HSS shall return the old 3GPP AAA Server to the requester 3GPP AAA Server 
and return an error by setting the Experimental-Result-Code to 
DIAMETER_ERROR_IDENTITY_ALREADY_REGISTERED. 

The requester 3GPP AAA Server, upon detection of a 3GPP AAA Server name in the response assumes that 
the user already has a 3GPP AAA Server assigned, so makes use of Diameter redirect function to indicate 
the 3GPP AAA Server name where to address the Non-3GPP IP Access Registration request. 

If they are identical but there is no APN configuration information in HSS for the user, the HSS shall return 
the Experimental Result Code DIAMETER_ERROR_USER_NO_NON_3GPP_SUBSCRIPTION and it 
shall remove the 3GPP AAA Server name previously assigned for this subscriber. 

If there is not a 3GPP AAA Server already serving the user, the HSS shall return an error, setting the Result- 
Code to DIAMETER_UNABLE_TO_COMPLY in the Response command. 
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3. After the HSS has determined that the requesting 3GPP AAA server is identical to the registered 3GPP AAA 
server, the HSS shall check the Server Assignment Type value received in the request: 

- If it indicates REGISTRATION, the HSS shall set the subscribers User Status to REGISTERED for the 
authenticated and authorized trusted or untrusted non-3GPP IP access subscriber, download the relevant user 
profile information and set the Result-Code AVP to DIAMETER_SUCCESS in the Server-Assignment- 
Response command. For those APNs that have been authorized as a consequence of having the Wildcard 
APN in the user subscription, the HSS shall include the specific APN name and associated PDN-GW identity 
inside the APN context of the Wildcard APN. 

- If it indicates USER_DEREGISTRATION / ADMINISTRATIVE_DEREGISTRATION / 
AUTHENTICATION_FAILURE / AUTHENTICATION_TIMEOUT, the HSS shall remove the 3GPP AAA 
Server name previously assigned for the subscriber, set the User Status for the subscriber to 
NOT_REGISTERED and set the Result-Code AVP to DIAMETER_SUCCESS in the Server-Assignment- 
Response command. The HSS shall not remove the stored dynamic PGW-ID and APN information for the 
subscriber. 

- If it indicates AAA_USER_DATA_REQUEST, the HSS shall download the relevant user profile information 
to the requester 3GPP AAA Server and set the Result-Code AVP to DIAMETER_SUCCESS in the Response 
command. 

If it indicates PGW_UPDATE, the HSS shall check if the subscriber is registered. 

If the subscriber is registered and there is not a static PDN GW subscribed, the HSS shall store the PGW 
identity and PLMN (if it is received in the command) for the non-3GPP user and the APN identified by the 
APN Id or by the Context Identifier if present in the request; otherwise, the HSS shall not update or delete the 
stored PDN GW and, for this case, shall set the result code to DIAMETER_UNABLE_TO_COMPLY. 

If the APN corresponding to the PGW identity is not present in the subscription but the wild card APN is 
present in the subscription, the HSS shall store the new PDN GW identity and PLMN for an APN if present 
in the request. The HSS shall set the Result-Code AVP to DIAMETER_SUCCESS in the Server- 
Assignment-Response command. If the Context Identifier is included in the request, the HSS may use it to 
locate the APN Configuration. 

If the APN corresponding to the PGW identity is not present in the subscription and the wild card APN is not 
present in the subscription, the HSS shall reject the request and set the Result-Code AVP to 
DIAMETER_UNABLE_TO_COMPLY. 

If the subscriber is not registered, the HSS shall reject the request and set the Experimental-Result-Code AVP 
toDIAMETER_ERROR_IDENTITY_NOT_REGISTERED. 

- If it indicates any other value, the Result-Code shall be set to DIAMETER_UNABLE_TO COMPLY, and no 
registration/de-registration or profile download procedure shall be performed. 

Origin-Host AVP shall contain the 3GPP AAA Server identity. 

Once the 3GPP AAA Server has received the user profile data as a result of successful registration to the HSS, the 
3GPP AAA Server shall create appropriate routing policies and IP filtering information according to the retrieved 
operator defined barring information. These routing policies and IP filtering information are used for the subsequent 
authorizations by the MAG functionality in the trusted 3GPP/IP access, or ePDG or PGW. If the subscription data 
received for a certain APN indicates that the APN was authorized as a consequence of having the Wildcard APN in the 
user subscription in HSS, then the 3GPP AAA Server shall not store this APN data beyond the lifetime of the UE 
sessions related to the specific APN and the 3GPP AAA Server shall delete them upon disconnection of the UE. If the 
PGW Identity contains an FQDN of the PDN GW, the 3GPP AAA Server shall retrieve the PGW PLMN ID from the 
MIP-Home-Agent-Host AVP within the MIP6- Agent-Info AVP which contains the PGW Identity. 

8.1 .2.2.3 Network Initiated De-Registration by HSS, Administrative 

8.1.2.2.3.1 General 

This procedure is used between the 3GPP AAA Server and the HSS to remove a previous registration and all associated 
state. When the de-registration procedure is initiated by HSS, indicating that a subscription has to be removed, the 
3GPP AAA Server subsequently triggers the detach procedure via the appropriate interface. 
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Table 8.3.2.3: Network Initiated Deregistration by HSS request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


IMSI 


User-Name 
(See IETF RFC 
3588 [7]) 


M 


This information element shall contain the user IIVISI and shall be formatted 
according to 3GPP TS 23.003 [14], clause 2.2. 


Reason for de- 
registration 


Deregistration- 
Reason 


M 


This IE shall contain the reason for the de-registration as the HSS shall send 
to the 3GPP AAA server a reason for the de-registration. 
The de-registration reason shall be composed of two parts: one textual 
message (if available) that is intended to be forwarded to the user that is 
de-registered, and one reason code (see 3GPP TS 29.229 [24]) that 
determines the behaviour of the 3GPP AAA Server. 


Routing 
Information 


Destination- 
Host 


M 


This IE shall contain the 3GPP AAA server name that is obtained from the 
Origin-Host AVP, which is received from the 3GPP AAA Server, 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 



Table 8.3.2.4: Network Initiated Deregistration by HSS response 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the Result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for SWx errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 



8.1.2.2.3.2 



Detailed behaviour 



The HSS shall de-register the affected identity and invoke this procedure to inform the 3GPP AAA server to remove the 
subscribed user from the 3GPP AAA Server. 

The HSS shall send in the Deregistration-Reason AVP the reason for the de-registration, composed by a textual 
message (if available) aimed for the user and a reason code that determines the action the 3GPP AAA server has to 
perform. The possible reason codes are: 

PERMANENT_TERMINATION: The non-3gpp subscription or service profile(s) has been permanently 
terminated. The HSS shall clear the user's 3GPP AAA Server name and set the User Status to 
NOT_REGISTERED. The 3GPP AAA Server should start the network initiated de-registration towards the user. 



8.1.2.3 



HSS Initiated Update of User Profile 



8.1.2.3.1 



General 



According to the requirements described in 3GPP TS 23.402 [3] and 3GPP TS 32.422 [32], SWx reference point shall 
enable: 

Indication to 3GPP AAA Server of change of non-3GPP subscriber profile within HSS; 

Activation and deactivation of the subscriber and equipment trace in the PDN GW. 
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This procedure is used between the 3GPP AAA Server and the HSS. The procedure is invoked by the HSS when the 
subscriber profile has been modified and needs to be sent to the 3GPP AAA Server. This may happen due to a 
modification in the HSS. 

The procedure is also invoked by the HSS to update the 3GPP AAA Server with the identity of a dynamically allocated 
PDN GW which is included in the APN-Configuration AVP in the User Profile as a result of the first PDN connection 
establishment associated with an APN over 3GPP access. 

This procedure is mapped to the Diameter command codes Push-Profile-Request (PPR) and Push-Profile- Answer 
(PPA) specified in the 3GPP TS 29.229 [24]. Information element contents for these messages are shown in tables 
8.1.2.3.1/1 and 8.1.2.3.1/2. 

Table 8.1.2.3.1/1 : User Profile Update request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


IMSI 


User-Name 
(See IETF RFC 
3588 [7]) 


M 


This information element shall contain the user IIVISI and shall be formatted 
according to 3GPP TS 23.003 [14], clause 2.2. 


User profile 


Non-3GPP- 
User-Data 


M 


This IE shall contain the updated user profile. Section 8.2.3.1 details the 

contents of the AVP. 

In case of trace activation or deactivation, the Trace-Info AVP shall be 

included, and this may be the only AVP that is present under this grouped 

AVP. 


Routing 
Information 


Destination- 
Host 


M 


This IE shall contain the 3GPP AAA Server name that is obtained from the 
Origin-Host AVP, which is received from the 3GPP AAA Server 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 



Table 8.1.2.3.1/2: User Profile Update response 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for SWx errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host. 
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8.1.2.3.2 



HSS Detailed behaviour 



The HSS shall make use of this procedure to update the relevant user profile in the 3GPP AAA server (e.g. change of 
subscription data or change of the identity of a dynamically allocated PDN GW associated with an APN), or activate / 
deactivate subscriber and equipment trace in the PDN GW. 



8.1.2.3.3 



3GPP AAA Server Detailed behaviour 



The 3GPP AAA server shall overwrite, for the subscriber identity indicated in the request, current information with the 
information received from the HSS, except in the error situations detailed in table 8.1.2.3.3/1. 

After a successful user profile download, the 3GPP AAA server shall initiate re-authentication procedure as described 
in sub-clause 7.2.2.4 if the subscriber has previously been authenticated and authorized to untrusted non-3GPP access. 
If the subscriber has previously been authenticated and authorized to trusted Non-3GPP IP Access then the 3GPP AAA 
server shall initiate a re-authorization procedure as described in sub-clause 5.1.2.3. 

Following a successful user profile download, the 3GPP AAA server shall apply routing policies and IP filtering 
information as described in clause 8.1.2.2.2. . As multiple authorization sessions may exist for the user (see section 
7.1.2.1), the 3GPP AAA server shall examine the need to execute re-authorization for each of these sessions, and may 
execute the multiple re-authorization procedures in parallel. In case the user's non-3GPP subscription has been deleted 
or the user's APN has been barred, the re-authorization shall be executed in all ongoing user related authorization 
sessions. Otherwise, the re-authorization procedure shall be invoked for the authorization sessions for which at least one 
of the following conditions is fulfilled: 

The user's subscribed APN has been deleted from the HSS. 

The APN configuration data has been previously downloaded to the ePDG and the new version of APN 
configuration received from HSS reflects a modification in these data. 

Following a successful download of subscription and equipment trace data, the 3GPP AAA Server shall forward the 
trace data by initiating reauthorization towards all PDN GWs that have an active authorization session. 

Table 8.1.2.3.3/1 details the valid result codes that the 3GPP AAA server can return in the response. 
Table 8.1.2.3.3/1 : User profile response valid result codes 



Result-Code AVP value 


Condition 


DIAMETER SUCCESS 


The request succeeded. 


DIAMETER ERROR USER UNKNOWN 


The request failed because the user is not found in 3GPP AAA Server. 


DIAMETER UNABLE TO COMPLY 


The request failed. 



8.2 Protocol Specification 

8.2.1 General 

The SWx reference point shall be Diameter based. This is defined as an IETF vendor specific Diameter application, 
where the Vendor ID is 3GPP. The Application Id used shall be 16777265. 

8.2.2 Commands 



8.2.2.1 



Authentication Procedure 



The Multimedia- Authentication-Request (MAR) command, indicated by the Command-Code field set to 303 and the 'R' 
bit set in the Command Flags field, is sent by the 3GPP AAA Server to the HSS in order to request security 
information. This corresponds to section 8.1.2.1. 



Message Format 



< Multimedia-Auth-Request > ::= < Diameter Header: 303, REQ, PXY, 16777265 > 

< Session-Id > 
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Vendor-Specific- Application-Id 
Auth-Session-State } 
Origin-Host } 
Origin-Realm } 
Destination-Realm } 
Destination-Host ] 
User-Name } 
RAT-Type ] 
ANID] 

Visited-Network-Identifier] 
Terminal-Information ] 
SIP-Auth-Data-Item ] 
SIP-Number-Auth-Items ] 
[ Supported-Featiires ] 



i=[ AVP ] 



The Multimedia- Authentication- Answer (MAA) command, indicated by the Command-Code field set to 303 and the 'R' 
bit cleared in the Command Flags field, is sent by a server in response to the Multimedia- Authentication-Request 
command. The Result-Code or Experimental-Result AVP may contain one of the values defined in section 6.2 of 3GPP 
TS 29.229 [24] in addition to the values defined in RFC 3588 [7]. 



Message Format 



< Multimedia- Auth-Answer > ::= 



< Diameter Header: 303, PXY, 16777265 > 
< Session-Id > 

{ Vendor-Specific-Application-Id } 
[ Result-Code ] 
[ Experimental-Result ] 
{ Auth-Session-State } 
{ Origin-Host } 
{ Origin-Realm } 
{ User-Name} 
[ SIP-Number-Auth-Items ] 
*[ SIP-Auth-Data-Item ] 
[ 3GPP-AAA-Server-Name ] 
*[ Supported-Features ] 



>■■[ AVP ] 



8.2.2.2 



HSS Initiated Update of User Profile Procedure 



The Push-Profile-Request (PPR) command, indicated by the Command-Code field set to 305 and the 'R' bit set in the 
Command Flags field, is sent by the HSS to the 3GPP AAA Server in order to update the subscription data whenever a 
modification has occurred in the subscription data. This corresponds to section 8.1.2.3. 



Message Format 



< Push-Profile-Request > ::= 



< Diameter Header: 305, REQ, 16777265 > 

< Session-Id > 

{ Vendor-Specific-Application-Id } 

{ Auth-Session-State } 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Host } 

{ Destination-Realm } 

{ User-Name } 

[ Non-3GPP-User-Data ] 

*[ Supported-Features ] 



>=[ AVP : 
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The Push-Profile-Answer (PPA) command, indicated by the Command-Code field set to 305 and the 'R' bit cleared in 
the Command Flags field, is sent by the HSS in response to the Push-Profile-Request command. The Result-Code or 
Experimental-Result AVP may contain one of the values defined in section 6.2 of 3GPP TS 29.229 [24] in addition to 
the values defined in RFC 3588 [7]. 



Message Format 



< Push-Profile-Answer > :: 



< Diameter Header: 305, PXY, 16777265 > 

< Session-Id > 

{ Vendor-Specific-Application-Id } 

[ Result-Code ] 

[ Experimental-Result ] 

{ Auth-Session-State } 

{ Origin-Host } 

{ Origin-Realm } 

*[ Supported-Features ] 



8.2.2.3 



i=[ AVP ] 



Non-3GPP IP Access Registration Procedure 



The Server- Assignment-Request (SAR) command, indicated by the Command-Code field set to 301 and the 'R' bit set 
in the Command Flags field, is sent by the 3GPP AAA Server to the HSS. This corresponds to section 8.1.2.2.2. 

Message Format 



< Server- Assignment- Request > ::= 



< Diameter Header: 301, REQ, PXY, 16777265 > 

< Session-Id > 

{ Vendor-Specific-Application-Id } 

{ Auth-Session-State } 

{ Origin-Host } 

{ Origin-Realm } 

[ Destination-Host ] 

{ Destination-Realm } 

[ Service-Selection ] 

[ Context-Identifier ] 

[ MIP6-Agent-Info ] 

[ Visited-Network-Identifier ] 

{ User-Name} 

{ Server-Assignment-Type } 

*[ Supported-Features ] 



•=[ AVP ] 



The Server-Assignment- Answer (SAA) command, indicated by the Command -Code field set to 301 and the 'R' bit 
cleared in the Command Flags field, is sent by the HSS to the 3GPP AAA Server to confirm the registration, 
de-registration or user profile download procedure. The Result-Code or Experimental-Result AVP may contain one of 
the values defined in section 6.2 of 3GPP TS 29.229 [24] in addition to the values defined in RFC 3588 [7]. 



Message Format 



< Server-Assignment-Answer > ::= 



Diameter Header: 301, PXY, 16777265 > 
Session-Id > 

Vendor-Specific-Application-Id } 
Result-Code ] 
Experimental-Result ] 
Auth-Session-State } 
Origin-Host } 
Origin-Realm } 
User-Name } 
Non-3GPP-User-Data ] 
3GPP-AAA-Server-Name ] 
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*[ Supported-Features " 
*[ AVP ] 



8.2.2.4 



Network Initiated De-Registration by HSS Procedure 



The Registration-Termination-Request (RTR) command, indicated by the Command-Code field set to 304 and the "R" 
bit set in the Command Flags field, is sent by a Diameter Multimedia server to a Diameter Multimedia client in order to 
request the de-registration of a user. This corresponds to section 8.1.2.2.3. 



Message Format 

<Registration-Termination-Request> ::= 



< Diameter Header: 304, REQ, PXY, 16777265 > 

< Session-Id > 

{ Vendor-Specific-Application-Id } 

{ Auth-Session-State } 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Host } 

{ Destination-Realm } 

{ User-Name } 

{ Deregistration-Reason } 

*[ Supported-Features ] 

*[ AVP ] 



The Registration-Termination- Answer (RTA) command, indicated by the Command-Code field set to 304 and the "R" 
bit cleared in the Command Flags field, is sent by a client in response to the Registration-Termination-Request 
command. The Result-Code or Experimental-Result AVP may contain one of the values defined in section 6.2 of 3GPP 
TS 29.229 [24] in addition to the values defined in RFC 3588 [7]. 



Message Format 

<Registration-Termination- Answer> : := 



< Diameter Header: 304, PXY, 16777265 > 

< Session-Id > 

{ Vendor-Specific-Application-Id } 

[ Result-Code ] 

[ Experimental-Result ] 

{ Auth-Session-State } 

{ Origin-Host } 

{ Origin-Realm } 

*[ Supported-Features ] 

*[ AVP ] 



8.2.3 Information Elements 



8.2.3.0 



General 



The following table describes the Diameter AVPs defined for the SWx interface protocol, their AVP Code values, 
types, possible flag values and whether or not the AVP may be encrypted. 

Table 8.2.3.0/1 : Diameter SWx AVPs 



AVP Flag rules 
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Attribute Name 


AVP 
Code 


Section 
defined 


Value Type 


Must 


May 


Should 
not 


Must 
not 


May 
Encr. 


Non-3GPP-User-Data 


1500 


8.2.3.1 


Grouped 


M, V 








No 


Non-3GPP-IP-Access 


1501 


8.2.3.3 


Enumerated 


M, V 








No 


Non-3GPP-IP-Access- 
APN 


1502 


8.2.3.4 


Enumerated 


M, V 








No 


ANID 


1504 


5.2.3.7 


UTF8String 


M, V 








No 


Trace-Info 


1505 


8.2.3.13 


Grouped 


V 






M 


No 


Service-Selection 


493 


5.2.3.5 


UTF8String 


M 






V 


No 



The following table describes the Diameter AVPs re-used by the SWx interface protocol from existing Diameter 
Applications, including a reference to their respective specifications and when needed, a short description of their use 
within SWx. Other AVPs from existing Diameter Applications, except for the AVPs from Diameter Base Protocol, do 
not need to be supported. 

Table 8.2.3.0/2: SWx re-used Diameter AVPs 



Attribute Name 


Reference 


Comments 


User-Name 


IETF RFC 3588 [7] 




Session-Timeout 


IETF RFC 3588 [7] 




Subscription-ID 


IETF RFC 4006 [20] 




IVIIPe-Agent-lnfo 


IETF RFC 5447 [6] 




MIP6-Feature-Vector 


IETF RFC 5447 [6] 




Service-Selection 


IETF RFC 5778 [11] 




3GPP-Gharging-Gharacteristics 


3GPPTS 29.061 [31] 




RAT-Type 


3GPPTS29.212[23] 




Visited-Network-ldentifier 


3GPP TS 29.229 [24] 




SIP-Number-Auth-ltems 


3GPP TS 29.229 [24] 




SIP-ltem-Number 


3GPP TS 29.229 [24] 




SIP-Auth-Data-ltem 


3GPP TS 29.229 [24] 




SIP-Authentication-Scheme 


3GPP TS 29.229 [24] 




SIP-Authenticate 


3GPP TS 29.229 [24] 




SIP-Authorization 


3GPP TS 29.229 [24] 




Confidentiality-Key 


3GPP TS 29.229 [24] 




Integrity-Key 


3GPP TS 29.229 [24] 




Server-Assignment-Type 


3GPP TS 29.229 [24] 




Deregistration-Reason 


3GPP TS 29.229 [24] 




Supported-Features 


3GPP TS 29.229 [24] 




Feature-List-ID 


3GPP TS 29.229 [24] 




Feature-List 


3GPP TS 29.229 [24] 




APN-Configuration 


3GPP TS 29.272 [29] 




Context-Identifier 


3GPP TS 29.272 [29] 




Terminal-Information 


3GPP TS 29.272 [29] 




AMBR 


3GPP TS 29.272 [29] 




APN-OI-Replacement 


3GPP TS 29.272 [29] 




Trace-Data 


3GPP TS 29.272 [29] 




3GPP-AAA-Server-Name 


3GPP TS 29.234 [33] 





Only those AVP initially defined in this reference point or AVP with values initially defined in this reference point and 
for this procedure are described in the following subchapters. 



8.2.3.1 



Non-3GPP-User-Data 



The Non-3GPP-User-Data AVP is of type Grouped. It contains the information related to the user profile relevant for 
EPS. 

AVP format: 



Non-3GPP-User-Data :: 



< AVP Header: 1500 10415 > 

[ Subscription-ID ] 

[ Non-3GPP-IP- Access ] 

[ Non-3GPP-IP-Access-APN ] 

*[ RAT-Type ] 
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[ Session-Timeout ] 

[ MIP6-Feature-Vector ] 

[ AMBR ] 

[ 3GPP-Charging-Characteristics ] 

[ Context-Identifier ] 

[ APN-OI-Replacement ] 

*[ APN-Configuration ] 

[ Trace-Info ] 

*[ AVP ] 

The AMBR included in this grouped AVP shall include the AMBR associated to the user"s subscription (UE-AMBR). 

The APN-OI-Replacement included in this grouped AVP shall include the UE level APN-OI-Replacement associated to 
the user"s subscription. This APN-OI-Replacement has lower priority than APN level APN-OI-Replacement that is 
included in the APN-Configuration AVP.The Non-3GPP-IP-Acess AVP, the Non-3GPP-IP-Access-APN AVP, the 
Context-Identifier AVP and at least one item of the APN-Configuration AVP shall always be included, except when the 
Non-3GPP-User-Data AVP is used for downloading trace activation or deactivation information on the SWx interface, 
for an already registered user. In that specific case, the Trace-Info AVP shall be included and the presence of any 
further AVPs is optional. 

8.2.3.2 Subscription-ID 

The Subscription-ID AVP is of type Grouped and indicates the user identity to be used for charging purposes. It is 
defined in the IETF RFC 4006 [20]. EPC shall make use only of the IMSI and MSISDN values. This grouped AVP 
shall set the sub-AVP Subscription-Id-Type to value "END_USER_E164" and shall set the sub-AVP Subscription-Id- 
Data to the MSISDN value. 

AVP format: 

Subscription-Id ::= < AVP Header: 443 > 

[ Subscription-Id-Type ] 
[Subscription-Id-Data ] 

8.2.3.3 Non-3GPP-IP-Access 

The Non-3GPP -IP -Access AVP (AVP code 1501) is of type Enumerated, and allows operators to determine barring of 
3GPP - non-3GPP interworking subscription. The following values are defined: 

NON_3GPP_SUBSCRIPTION_ALLOWED(0) 

The subscriber has non-3GPP subscription to access EPC network. 
NON_3GPP_SUBSCRIPTION_BARRED (1) 

The subscriber has no non-3GPP subscription to access EPC network. 

8.2.3.4 Non-3GPP-IP-Access-APN 

The Non-3GPP-IP-Access-APN AVP (AVP code 1502) is of type Enumerated, and allows operator to disable all APNs 
for a subscriber at one time. The following values are defined: 

Non_3GPP_APNS_ENABLE (0) 

Enable all APNs for a subscriber. 
Non_3GPP_APNS_DISABLE (1) 

Disable all APNs for a subscriber 

8.2.3.5 RAT-Type 

This AVP is defined is chapter 5.2.3.6 and it shall include thef access technology types not allowed for the user. 
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8.2.3.6 Session-Timeout 

The Session-Timeout AVP is of type Unsigned32. It is defined in IETF RFC 3588 [7] and indicates the maximum 
period for a session measured in seconds. This AVP is used for re-authentication purposes. If this field is not used, the 
non-3GPP Access Node will apply default time intervals. 

8.2.3.7 APN-Configuration 

The APN-Configuration AVP is of type Grouped AVP and is defined in 3GPP TS 29.272 [29]. 

8.2.3.8 ANID 

The ANID AVP is defined in chapter 5.2.3.7. 

8.2.3.9 SIP-Auth-Data-ltem 

The SIP-Auth-Data-Item AVP is defined in 3GPP TS 29.229 [24]. The optional AVPs that are needed in SWx reference 
point are included in the ABNF representation below. 

AVP format: 

SIP-Auth-Data-Item ::= < AVP Header: 612 10415 > 

[ SIP -Item-Number ] 
[ SIP -Authentication-Scheme ] 
[ SIP -Authenticate ] 
[ SIP -Authorization ] 
[ Confidentiality-Key ] 
[ Integrity-Key ] 
*[ AVP ] 

8.2.3.10 Confidentiality-Key 

The Confidentiality-Key AVP is defined in 3GPP TS 29.229 [24]. It is of type OctetString, and contains the 
Confidentiality Key (CK') or, after key derivation using the Access Network Identifier, the Confidentiality Key (CK"). 
For the 3GPP AAA server it is transparent whether the value received corresponds to CK or CK". 

8.2.3.11 Integrity-Key 

The Integrity-Key AVP is defined in 3GPP TS 29.229 [24]. It is of type OctetString, and contains the Integrity Key (IK) 
or, after key derivation using the Access Network Identifier, the Integrity Key (IK"). For the 3GPP AAA server it is 
transparent whether the value received corresponds to IK or IK". 

8.2.3.12 Server-Assignment-Type AVP 

The Server- Assignment-Type AVP is defined in 3GPP TS 29.229 [24] and it is of type Enumerated, and indicates the 
type of server update being performed in a Server- Assignment-Request operation. As part of the SWx protocol 
specification, the following values are additionally defined: 

AAA_USER_DATA_REQUEST (12) 

This value is used to request the non-3GPP user profile data from the 3GPP AAA Server to the HSS. 

PGW_UPDATE(13) 

This value is used to store, update or delete the PDN-GW Identity in the HSS, as requested from the 3GPP 
AAA Server. 

8.2.3.13 Trace-Info 

The Trace-Info AVP is of type Grouped. This AVP shall contain the information related to subscriber and equipment 
trace function and the required action, i.e. activation of deactivation 
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AVP format 

Trace-Info ::= < AVP header: 1505 10415> 
[Trace-Data] 
[Trace-Reference] 

*[AVP] 

Either the Trace-Data or the Trace-Reference AVP shall be included. When trace activation is needed, Trace-Data AVP 
shall be included, while the trace deactivation request shall be signalled by including the Trace-Reference directly under 
the Trace -Info. 

8.2.3.14 Trace-Data 

The Trace-Data AVP is of type Grouped. The Diameter AVP is defined 3GPP TS 29.272 [29], while its contents is 
defined in 3GPP TS 32.422 [32]. 

8.2.3.15 Feature-List-ID AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. For this release, the Feature-List-ID AVP value shall be set 
to 1 for the SWx application. 

8.2.3.16 Feature-List AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. A null value indicates that there is no feature used by the 
SWx application. 

NOTE: There are no SWx features defined for this release. 

8.2.4 Session Handling 

The Diameter protocol between the 3GPP AAA Server and the HSS shall not keep the session state and each Diameter 
request/response interaction shall be transported over a different diameter session which is implicitly terminated. 

In order to indicate that session state shall not be maintained, the diameter client and server shall include the Auth- 
Session-State AVP set to the value NO_STATE_MAlNTAINED (1), as described in IETF RFC 3588 [7]. As a 
consequence, the server shall not maintain any state information about this session and the client shall not send any 
session termination request. Neither the Authorization-Lifetime AVP nor the Session-Timeout AVP shall be present in 
requests or responses. 



8.3 User identity to HSS resolution 



The User identity to HSS resolution mechanism enables the 3GPP AAA server to find the identity of the HSS that holds 
the subscriber data for a given user identity when multiple and separately addressable HSSs have been deployed by the 
network operator. The resolution mechanism is not required in networks that utilise a single HSS or when a 3GPP AAA 
server is configured to use pre-defined HSS address/identity. 

This User identity to HSS resolution mechanism may rely on routing capabilitites provided by Diameter and be 
implemented in the home operator network within dedicated Diameter Agents (Redirect Agents or Proxy Agents) 
responsible for determining the HSS identity based on the provided user identity. If this Diameter based implementation 
is selected by the Home network operator, the principles described below shall apply. 

In networks where more than one independently addressable HSS are utilized by a network operator, and the 3GPP 
AAA server is not configured to use pre-defined HSS address/identity, each 3GPP AAA server shall be configured with 
the address/identity of the Diameter Agent (Redirect Agent or Proxy Agent) implementing this resolution mechanism. 

To get the HSS identity that holds the subscriber data for a given user identity, the 3GPP AAA server shall send the 
Diameter request normally destined to the HSS to a pre-configured address/identity of a Diameter agent supporting the 
User identity to HSS resolution mechanism. 
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If this Diameter request is received by a Diameter Redirect Agent, the Diameter Redirect Agent shall determine 
the HSS identity based on the provided user identity and sends to the 3GPP AAA server a notification of 
redirection towards the HSS identity, in response to the Diameter request. Multiple HSS identities may be 
included in the response from the Diameter Redirect Agent, as specified in IETF RFC 3588 [7]. In such a case, 
the 3GPP AAA server shall send the Diameter request to the first HSS identity in the ordered list received in the 
Diameter response from the Diameter Redirect Agent. If no successful response to the Diameter request is 
received, the 3GPP AAA server shall send a Diameter request to the next HSS identity in the ordered list. This 
procedure shall be repeated until a successful response from an HSS is received. 

If this Diameter request is received by a Diameter Proxy Agent, the Diameter Proxy Agent shall determine the 
HSS identity based on the provided user identity and shall forward the Diameter request directly to the HSS. The 
3GPP AAA server shall determine the HSS identity from the response to the Diameter request received from the 
HSS. 

After the User identity to HSS resolution, the 3GPP AAA server shall store the HSS identity/name/Realm and shall use 
it in further Diameter requests associated to the same user dentity. 

NOTE: Alternatives to the user identity to HSS resolution Diameter based implementation are outside the scope 
of this specification. 



9 S6b and H2 Description 

9.1 Functionality 



9.1.1 General 

The S6b reference point is defined between the 3GPP AAA Server and the PDN-GW. The definition of the reference 
point and its functionality is given in 3GPP TS 23.402 [3]. 

When the UE attaches to the EPC using the S2c reference point, the S6b reference point is used to authenticate and 
authorize the UE, and update the PDN-GW address to the 3GPP AAA server and HSS. 

When the UE attaches to the EPC using the S2a/S2b reference point in the PMIPv6 or GTPv2 mode, the S6b reference 
point is used to update the 3GPP AAA server or the 3GPP AAA proxy with the PDN-GW address information and with 
the selected S2b protocol variant. Furthermore, this reference point may be used to retrieve and update other mobility 
related parameters including static QoS profiles for non-3GPP accesses. 

The S6b reference point is also used to authenticate and authorize the incoming MIPv4 Registration Request in the case 
the UE attaches to the EPC over the S2a reference point using MIPv4 FACoA procedures. 

The S6b reference point is used by the 3GPP AAA Server in the case the UE attaches to the EPC using the S2c 
reference point to indicate to the PDN GW that a PDN GW reallocation shall be performed. This indication triggers the 
actual Home Agent reallocation procedure as specified in 3GPP TS 24.303 [13]. 

The S6b reference point is also used to download subscriber and equipment trace information to the PDN GW. 

The H2 reference point is defined between the 3GPP AAA Server and the HA. The definition of the reference point and 
its functionality is given in 3GPP TS 23.327 [12]. 

NOTE: The H2 interface is a subset of the S6b interface in the sense that only the DSMIPv6 procedures and the 
respective AVPs are implemented. Therefore, in the context of DSMIPv6 the procedures described in this 
specification apply to both S6b and H2. 



£75/ 



3GPP TS 29.273 version 10.7.0 Release 10 



88 



ETSI TS 129 273 VI 0.7.0 (2012-10) 



9.1.2 Procedures Description 



9.1.2.1 



Authentication and Authorization Procedures when using DSMIPv6 



9.1.2.1.1 



General 



The S6b interface shall enable the authentication and authorization between the UE and the 3GPP AAA Server/Proxy 
for DSMIPv6. 

When an UE performs the DSMIPv6 initial attach, it runs an IKEv2 exchange with the PDN GW as specified in 3GPP 
TS 24.303 [13]. In this exchange EAP AKA is used for UE authentication over IKEv2. The PDN GW acts as an IKEv2 
responder and an EAP pass-through authenticator for this authentication. 

The S6b authentication and authorization procedure is invoked by the PDN GW after receiving an IKE_SA_AUTH 
message from the UE. The S6b reference point performs authentication based on reuse of the DER/DEA command set 
defined in Diameter EAP. The exact procedure follows the steps specified in IETF RFC 5778 [11]. 

NOTE: This procedure is only used with DSMIPv6-capable UEs; therefore, only PDNs with PDN Types IPv6 or 
IPv4v6 are accessible in this case. 

Table 9.1.2.1/1: Authentication and Authorization Request 



Information 
Element Name 


IVIapping to 
Diameter AVP 


Cat. 


Description 


User identity 


User-Name 


M 


This information element shall contain the identity of the user. 


Autlientication 
Request Type 


Auth-Request- 
Type 


M 


This IE shall define whether the UE is to be authenticated only, 
authorized only or both. AUTHORIZE_AUTHENTICATE shall be used 
in this case. 


EAP Payload 


EAP- Payload 


M 


This IE shall contain the Encapsulated payload for UE - 3GPP AAA 
Server mutual authentication 


PGW PLMN ID 


Visited-Network- 
Identifier 





This IE shall contain the identifier that allows the home network to 
identify the PLMN where the PGW is located. 


Access Type 


RAT-Type 





This Information Element shall contain the non-3GPP access network 

technology type that is serving the UE. 

This IE shall be present if it is available when the PDN GW sends the 

request. 


PDN GW Identity 


IVIIP6 -Agent-Info 


M 


This IE shall contain the FQDN and/or IPv6 address(es) of the PDN 
GW that the user shall be connected to. 

If the PDN GW includes the IP address in the PDN GW Identity, it shall 
include the HA IPv6 address and, if used, the IPv4 address, as 
DSIVIIPv6 is used. 


IVIIP Subscriber 
Profile 


MIP6-Feature- 
Vector 


M 


This AVP shall be included to inform the 3GPP AAA Server about the 
used mobility protocol. None of the PMIP6 SUPPORTED or 
MIP4_SUPP0RTED flags shall be set, since DSI\/IIPv6 is used in this 
case. 


APN 


Service-Selection 





If present, this IE shall contain the Network Identifier part of the APN 

extracted from the IKEAUTH message. 

It shall include the APN that the user shall be connected to. It shall be 

only included if received from UE. In case it is not received, the 3GPP 

AAA Server shall assign the received PDN-GW identity to the default 

APN. 


QoS capabilities 


QoS-Capability 





This IE shall be included if present in the request message. It shall 
indicate to the 3GPP AAA Server that the PGW requests downloading 
a static QoS profile for the UE. The PGW may include this IE only at 
the initial attach of the UE. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 
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Table 9.1.2.1/2: Authentication and Authorization Answer 



Information 
Element Name 


Mapping to 
Diameter AVP 


Cat. 


Description 


EAP Payload 


EAP-Payload 


M 


This IE shall contain the Encapsulated payload for UE - 3GPP AAA 
Server mutual authentication 


IVIaster Session 
Key 


EAP-Master- 
Session-Key 


C 


This IE shall contain the Keying material for protecting the 
communication between the UE and PDN GW. It shall be present only 
if the result code is set to success. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE AUTHENTICATE. See IETF 
RFC 4072 [5]. 


Result Code 


Result-Code / 
Experimental- 
Result-Code 


M 


This IE shall contain the result of the operation. 
The Result-Code AVP shall be used for errors defined in the Diameter 
Base Protocol or as per in NASREQ. The Result-Code 
DIAMETER_MULTI_ROUND_AUTH shall be used in the responses 
that trigger further requests from the PDN GW and 
DIAMETER_SUCCESS shall be included at the successful completion 
of the authentication and authorization procedure. 

The Experimental-Result AVP shall be used for S6b errors. This is a 
grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 
AVP, and the error code in the Experimental-Result-Code AVP. 

If the Result-Code is set to DIAMETER_SUCCESS_RELOCATE_HA 
as defined in IETF RFC 5778 [11], then the 3GPP AAA server is 
indicating to the PGW that it shall initiate a HA switch procedure 
towards the UE. 


I\/1IP Subscriber 
Profile 


IVIIP6-Feature- 
Vector 


C 


This AVP shall be present if the authorization was successful. None of 
the PMIP6_SUPP0RTED or MIP4_SUPP0RTED flags shall be set, 
since DSI\/IIPv6 is used in this case. 


Current User 
Identity 


Mobile-Node- 
Identifier 


M 


This IE shall contains the UE identity. 


APN and PGW 
Data 


APN- 
Configuration 


C 


This information element shall only be sent if the Result-Code AVP is 

set to DIAMETER_SUCCESS. 

This AVP shall contain the default APN, the list of authorized APNs, 

user profile information. 

APN-Configuration is a grouped AVP including the following 

information elements per APN: 

-APN 

- Authorized 3GPP QoS profile 

- Statically allocated User IP Address (IPv4 and/or IPv6) 

- Allowed PDN type (IPv4, IPv6, IPv4v6, IPv4 OR IPv6) 

- APN-AMBR 


Reallocated 
PGW Address 


IVllP6-Agent-lnfo 


C 


This information element shall only be sent if the Result-Code AVP is 
set to DIAMETER_SUCCESS_RELOCATE_HA indicating to the PDN 
GW that it shall initiate a HA switch procedure towards the UE. 
This information element shall contain the PDN GW identity of the 
target PDN GW. 


Session Time 


Session-Timeout 


c 


If the authentication and authorization succeeded, then this IE shall 
contain the time this authorization is valid for. 


QoS resources 


QoS-Resources 


c 


This AVP shall be included only if the OoS-Capability AVP was 
received in the authorization request and the authorization succeeded. 
Then the 3GPP AAA server shall include a static QoS profile in this IE 
during the UE initial attach if the PDN GW included QoS-Capabilities 
AVP in the request message and the UE has been provisioned with a 
static QoS profile. The QoS profile template value in this IE shall be 
set to 0. 


UE Charging 
Data 


3GPP-Charging- 
Characteristics 





If present, this information element shall contain the type of charging 
method to be applied to the user (see 3GPP TS 29.061 [31]). 


3GPP AAA 
Server Name 


Redirect-Host 


c 


This information element shall be sent if the Result-Code value is set 
to DIAMETER_REDIRECT_INDICATIQN. When the user has 
previously been authenticated by another 3GPP AAA Server, it shall 
contain the Diameter identity of the 3GPP AAA Server currently 
serving the user. The node receiving this IE shall behave as defined in 
the Diameter Base Protocol (IETF RFC 3588 [7]). The command shall 
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contain zero or more occurrences of this information element. When 
choosing a destination for the redirected message from multiple 
Redirect-Host AVPs, the receiver shall send the Diameter request to 
the first 3GPP AAA Server in the ordered list received in the Diameter 
response. If no successful response to the Diameter request is 
received, the receiver shall send the Diameter request to the next 
3GPP AAA Server in the ordered list. This procedure shall be repeated 
until a successful response is received from a 3GPP AAA Server. 


Trust 

Relationship 

Indicator 


AN-Trusted 


C 


This AVP shall contain the 3GPP AAA Server's decision on handling 
the non-3GPP access network, i.e. trusted, or untrusted. 
This AVP shall be present if the 3GPP AAA Server is able to make 
decision on whether the access network is Trusted or Untrusted. 


Trace information 


Trace-Info 


C 


This AVP shall be included if the subscriber and equipment trace has 

been activated for the user in the HSS and signalling based activation 

is to be used to download the trace activation from the HSS to the PDN 

GW. 

Only the Trace-Data AVP shall be included to the Trace-Info AVP and 

shall contain the following AVPs: 

- Trace-Reference 

- Trace-Depth 

- Trace-Event-List 

- Trace-Gollection-Entity 

The following AVPs may also be included in the Trace-Data AVP: 

- Trace-Interface-List: if this AVP is not present, trace report generation 
is requested for all interfaces listed in 3GPP TS 32.422 [32] 

- Trace-NE-Type-List, with the only allowed value being "PDN GW (3)". 
If this AVP is not included, trace activation in PDN GW is required. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 



9.1.2.1.2 



PDN GW Detailed Behaviour 



After completing the IKE_S A_INIT exchange, upon receipt of an IKE_AUTH message, including the IDi payload but 
not the AUTH payload, the PDN GW shall send an Diameter-EAP-Request (DER) message towards the 3GPP AAA 
Server / Proxy. The EAP Payload AVP shall contain an EAP-Response/Identity with the identity extracted from the IDi 
field. 

Upon receipt of an IKE_AUTH message with an EAP payload from the UE, the PDN GW shall send an Diameter-EAP- 
Request (DER) with the EAP Payload AVP containing the according EAP -Response to the 3GPP AAA Server / Proxy. 

Upon receipt of a Diameter-EAP-Answer (DEA) message from the 3GPP AAA Server / Proxy, the PDN GW shall then 
send an IKE_AUTH message containing the according EAP Payload to the UE. 

Upon receipt of an IKE_AUTH message with the AUTH payload after the EAP authentication was successful, the 
PDN_GW shall proceed as specified in 3GPP TS 24.303 [13]. 

The PDN GW shall utilize the downloaded APN configuration data, among others, to decide whether the user's request 
for an IPv4 home address and/or IPv6 home address prefix shall be accepted or rejected. 

If the Result-Code AVP is set to DIAMETER_SUCCESS_RELOCATE_HA and if the PGW has received a PGW 
identity in form of the FQDN from the 3GPP AAA server, then the PGW may obtain the IP address of the Home Agent 
functionality of that PGW as described in 3GPP TS 29.303 [34]. 

If Trace-Info AVP has been received in the authentication and authorization response, the PDN GW shall start a trace 
session for the user. For details, see 3GPP TS 32.422 [32]. 



9.1.2.1.3 



3GPP AAA Server Detailed Behaviour 



For S6b, on receipt of the DER message, the 3GPP AAA Server shall process the DER message according to 
3GPP TS 33.402 [19]. For H2, the 3GPP AAA server shall process the DER message according to 3GPP TS 33.234 
[10]. 
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Upon successful completion, a DIAMETER_SUCCESS shall be returned to indicate successful authentication 
procedure and authentication information shall be returned. The AAA server shall also include, among others, the 
MIP6-Feature-Vector AVP, including the subscriber profile of the UE in terms of DSMIPv6 feature the UE is 
authorized to use. 

If the HSS indicates that the user is currently being served by a different PDN GW, the 3GPP AAA Server shall 
respond to to the PDN GW with the Result-Code set to DIAMETER_SUCCESS_RELOCATE_HA and include the new 
assigned PDN GW identity in the MIP6-Agent-Info AVP. 

If the HSS indicates that the user is currently being served by a different 3GPP AAA Server, the 3GPP AAA Server 
shall respond to the PDG-GW with the Result-Code set to DIAMETER_REDIRECT_INDICATION and Redirect-Host 
set to the Diameter identity of the 3GPP AAA Server currently serving the user (as indicated in the 3GPP-AAA-Server- 
Name AVP returned in the SWx authentication response from the HSS). 

The 3GPP AAA Server shall run EAP-AKA as specified in 3GPP TS 33.402 [19]. Exceptions shall be treated as error 
situations and the result code shall be set to DIAMETER_UNABLE_TO_COMPLY. 

Before sending out the AKA challenge, the 3GPP AAA Server shall decide whether the access network is handled as 
Trusted or Untrusted and set the value of the AN -Trusted AVP correspondingly in the answer message to indicate the 
trust relationship of the access network to the PDN GW. The 3GPP AAA Server shall make the decision based on the 
UE Identity and the trust relationship information marked during the authentication and authorization procedure over 
STa, S Wa or S Wm. If the 3GPP AAA server is unable to determine the trust relationship of the access network, it shall 
not include the AN-Trusted AVP in the answer message to the PDN GW. 

9.1 .2.1 .4 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy is required to handle roaming cases in which the PDN GW is in the VPLMN. The 3GPP AAA 
Proxy shall act as a stateful proxy. 

On receipt of the authentication answer that completes a successful authentication, the 3GPP AAA Proxy shall record 
the state of the connection (i.e. Authentication Successful). 

9.1 .2.2 Authorization Procedures when using PIVHRvS or GTPv2 

9.1.2.2.1 General 

The following authorization procedures take place upon a reception of a PBU at the PDN GW from the MAG or upon a 
reception of a Create Session Request at the PDN GW from the ePDG. 

The PDN GW shall update its address information to the 3GPP AAA Server and HSS. Static QoS profile information 
may also be downloaded at the same time. If the PDN GW reports to the 3GPP AAA server that GTPv2 is used over the 
S2b interface , the AAA may decide not to download parameters to the PDN GW on the S6b interface which are 
already provided to the PGW via the ePDG through the SWm and the GTPv2 based S2b interfaces (e.g, static QoS 
profile. Trace Information, APN-AMBR). 

The procedures are based on the reuse of NASREQ IETF RFC 4005 [4] AAR and AAA commands and the Diameter 
extensions defined for PMIP in IETF RFC 5779 [2]. 
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Table 9.1.2.2.1/1: Authorization request 



Information 
Element Name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent User 
Identity 


User-Name 


M 


Tliis IE shall be set to the NAI identifier of the UE as specified in 3GPP 
TS 23.003 [14]. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


This IE shall defines whether the UE is to be authenticated only, 
authorized only or both. AUTHORIZE_ONLY shall be used in this 
case. 


PDN GW Identity 


IVIIP6-Agent-lnfo 





If present, this IE shall contain the identity of the selected PDN GW for 
the UE and the corresponding PDN connection. 


PGW PLMN ID 


Visited-Network- 
Identifier 





This IE shall contain the identifier that allows the home network to 
identify the PLMN where the PGW is located. 


IVIobility features 


IVIIP6-Feature- 
Vector 


IVI 


This IE shall contain the mobility features used by the PDN GW. The 
PDN GW shall set the PMIP6_SUPP0RTED flag or the 
GTPv2_SUPP0RTED flag according to the protocol variant used over 
the S2b interface. 


APN 


Service-Selection 


IVI 


This IE shall contain the Network Identifier part of the APN extracted 
from the PBU or the Create Session Request message. 


QoS capabilities 


QoS-Capability 





If included in the request message, this IE shall indicate to the 3GPP 
AAA server that the PDN GW requests downloading a static QoS 
profile for the UE. The PDN GW may include this IE only at the initial 
attach of the UE. The PDN GW should not include this IE if GTPv2 is 
used over the S2b interface. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 
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Table 9.1.2.2.1/2: Authorization answer 



Information 
Element Name 


IVIapping to 
Diameter AVP 


Cat. 


Description 


Result code 


Result-Code 


M 


This IE shall contain the result of the operation. The possible values of 
the Result-Code AVP are defined in IETF RFC 3588 [7]. This IE shall 
be set to DIAMETER_SUCCESS if the update to the PDN GW 
address succeeded. It shall be set to 

DIAMETER_AUTHORIZATION_REJECTED is the update of the PDN 
GW address failed. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE_ONLY. See IETF RFC 4072 [5]. 


Authorized 
mobility features 


MIP6-Feature- 
Vector 


C 


The 3GPP AAA Server shall insert this AVP if the authorization was 
successful. The PMIP6_SUPP0RTED or the GTPv2_SUPP0RTED 
flag shall be set according to the value received in the Authorization 
request. 


Session time 


Session-Timeout 


C 


If the authorization succeeded, then this IE shall contain the time this 
authorization is valid for. 


APN and PGW 
Data 


APN- 
Configuration 


c 


This information element shall only be sent if the Result-Code AVP is 

set to DIAMETER_SUCCESS. 

This AVP shall contain the user profile information. 

APN-Configuration is a grouped AVP and shall include the following 

information elements: 

-APN 

- Authorized 3GPP QoS profile 

- APN-AMBR 

This information element may not be included in the Authorization 
answer, if the MIP6-Feature-Vector in the Authorization request 
indicates that GTPv2 is used over S2b. 


QoS resources 


QoS-Resources 


c 


This AVP shall be included only if the QoS-Capability AVP was 
received in the authorization request and the authorization succeeded. 
Then the 3GPP AAA server shall include a static QoS profile in this IE 
during the UE initial attach if the PDN GW included a QoS-Capabilities 
AVP in the request message and the UE has been provisioned with a 
static QoS profile. The QoS profile template value in this IE shall be set 
too. 


3GPP AAA 
Server Name 


Redirect-Host 


c 


This information element shall be sent if the Result-Code value is set 
to DIAMETER_REDIRECT_INDICATIQN. When the user has 
previously been authenticated by another 3GPP AAA Server, it shall 
contain the Diameter identity of the 3GPP AAA Server currently 
serving the user. The node receiving this IE shall behave as defined in 
the Diameter Base Protocol (IETF RFC 3588 [7]). The command shall 
contain zero or more occurrences of this information element. When 
choosing a destination for the redirected message from multiple 
Redirect-Host AVPs, the receiver shall send the Diameter request to 
the first 3GPP AAA Server in the ordered list received in the Diameter 
response. If no successful response to the Diameter request is 
received, the receiver shall send the Diameter request to the next 
3GPP AAA Server in the ordered list. This procedure shall be repeated 
until a successful response is received from a 3GPP AAA Server. 


Trace information 


Trace-Info 


c 


This AVP shall be included if the IVIIP6-Feature-Vector in the 
Authorization request indicates that PMIPv6 is used over S2b and if 
the subscriber and equipment trace has been activated or deactivated 
for the user in the HSS GW and signalling based activation is used to 
download the trace {de)activation from the HSS to the PDN GW. 

In an authorization response sent during the authorization procedure at 
PDN connection setup, the Trace-Data AVP shall be included. 
In an authorization response sent during the service authorization 
information update procedure, 

- the Trace-data AVP shall be included if trace activation is requested 

- the Trace-Reference AVP shall be included, if trace deactivation is 
requested. 

If the Trace-Data AVP is included, it shall contain the following AVPs: 

- Trace- Reference 

- Trace- Depth 

- Trace-Event-List 
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- Trace-Collection-Entity 

The following AVPs may also be included in the Trace-Data AVP: 

- Trace-Interface-List: if this AVP is not present, trace report generation 
is requested for all interfaces listed in 3GPP TS 32.422 [32] 

- Trace-NE-Type-List, with the only allowed value being "PDN GW (3)". 
If this AVP is not included, trace activation in PDN GW is required. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 



9.1.2.2.2 



PDN GW Detailed Behaviour 



Upon receipt of a PBU message from the MAG or upon receipt of a Create Session Request from the ePDG which 
requires the establishment of a new PDN connection via the non-3GPP access, the PDN GW shall initiate an 
authorization procedure, by sending an Authorization Request message to the 3GPP AAA server or to the 3GPP AAA 
Proxy, with the Auth-Request-Type set to AUTHORIZE_ONLY, in order to update the PGW Address for the APN and 
the selected S2b protocol variant, as well as to optionally download any UE specific APN profile information such as IP 
address allocation information, QoS Information, Session timeouts. Session Idle timeouts etc. 

The PDN GW shall include in the request the APN where the user shall be connected to. 

The PDN GW Identity and PLMN shall only be included in the initial request to the 3GPP AAA server; subsequent 
authorization messages (due to a handover to a different MAG, for instance) shall not include it again. 

After successful reception of the Authorization Request message, the PDN GW shall check that the Result-Code is set 
to DIAMETER_SUCCESS and, if so, it shall proceed to connect the user to the specified APN. 

For PMIPv6 based S2b, if Trace-Info AVP including Trace-Data has been received in the authorization response, the 
PDN GW shall start a trace session for the user. If Trace-Info including Trace-Reference (directly under the Trace-Info) 
has been received in the authorization response, the PDN GW shall stop the ongoing trace session, identified by the 
Trace-Reference. For details, see 3GPP TS 32.422 [32]. 

For GTPv2 based S2b, the PDN GW shall ignore the Trace-Info AVP if received in the authorization response. 

NOTE: For GTPv2 based S2b, trace is activated and deactivated via the SWm and GTPv2 based S2b interfaces. 



9.1.2.2.3 



3GPP AAA Server Detailed Behaviour 



Upon receipt of the Authorization Request message from the PDN GW, the 3GPP AAA Server shall update the PDN 
GW information for the APN for the UE on the HSS. 

The 3GPP AAA Server must check whether the user's profile is available. 

If the user's data exist in the 3GPP AAA Server, it shall check, whether it also has an active access authorization session 
for the user. 

If not, the 3GPP AAA Server shall reject the authorization request, including the Result-Code 
DIAMETER_AUTHORIZATION_REJECTED. 

If the 3GPP AAA Server has an existing authorization session, 

- If the APN requested by the PDN GW is included in the hst of authorized APNs of the user, then the3GPP 
AAA Server shall include the Service-Selection AVP in the authorization answer and set the Result-Code to 
DIAMETER_SUCCESS. 

If the APN requested by the PDN GW is not included in the list of authorized APNs, then the status code 
DIAMETER. AUTHORIZATION_REJECTED shall be returned to the PDN GW to indicate an unsuccessful 
authorization. 
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If the user's profile does not exist in the 3GPP AAA Server, it shall retrieve the Diameter identity of the 3GPP AAA 
Server currently serving the user from the HSS following the procedures for subscriber profile download as specified in 
section 8.1.2.2.2. Depending on the HSS response, 

If the HSS indicates that the user is currently being served by a different 3GPP AAA Server, the 3GPP AAA 
Server shall respond to the PDG-GW with the Result-Code set to DIAMETER_REDIRECT_INDICATION and 
Redirect-Host set to the Diameter identity of the 3GPP AAA Server currently serving the user (as indicated in 
the 3GPP-AAA-Server-Name AVP returned in the SWx authentication response from the HSS). 

- If the HSS returns DIAMETER_ERROR_USER_UNKNOWN, the 3GPP AAA Server shall return the same 
error to the PDN GW. 

If the HSS sends the user's profile to the 3GPP AAA Server, the authorization shall be rejected by setting the 
Result-Code to DIAMETER_AUTHORIZATION_REJECTED. The 3GPP AAA Server shall delete the 
downloaded user profile. 

NOTE: The last outcome corresponds to the case that the user has no active access authorization procedure. This 
is considered as an error situation, e.g. the Trusted Non-3GPP GW may have sent PBU without 
authorizing the user. 



9.1.2.2.4 



3GPP AAA Proxy Detailed Behaviour 



The 3GPP AAA Proxy is required to handle roaming cases in which the PDN GW is located in the VPLMN. The 3GPP 
AAA Proxy shall act as a stateful proxy. 

On receipt of the authorization answer, the 3GPP AAA Proxy 

shall check locally configured information for the maximum allowed static QoS parameters valid for visitors 
from the given HPLMN and modify the QoS parameters received from the 3GPP AAA Server, to enforce the 
policy limitations. 

shall record the state of the connection (i.e. Authorization Successful). 



9.1.2.3 



PDN GW Initiated Session Termination Procedures 



9.1.2.3.1 



General 



The S6b reference point allows the PDN GW to inform the 3GPP AAA server that the UE disconnected a PDN 
connection associated to an APN, or that the PDN connection was handed over to the 3GPP access, and therefore the 
mobility session established for this PDN connection is to be removed. 

The procedure shall be initiated by the PDN GW. These procedures are based on the reuse of Diameter Base IETF RFC 
3588 [7] STR and STA commands. 

Each PDN connection shall be identified by the Diameter Session-Id parameter. 

Table 9.1.2.3.1/1 : S6b Session Termination Request 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 


Termination 
Cause 


Termination- 
Cause 


M 


This IE shall contain the reason for the disconnection, according to the 
values and reasons described in IETF RFC 3588 [7]. In particular: 

- If the session is terminated as a result of a PDN disconnection initiated by 
the UE, the Termination-Cause shall be set to the value 
DIAMETER_L0G0UT(1) 

- If the session is terminated as a result of a PDN handover towards 3GPP 
access, the Termination-Cause shall be set to the value 

DIAMETER USER MOVED (7) 
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Table 9.1.2.3.1/2: S6b Session Termination Answer 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for S6b errors. 



9.1.2.3.2 



PDN GW Detailed Behaviour 



The PDN GW shall make use of this procedure when the PDN Connection associated to the diameter session is, either 
disconnected, or handed over to the 3GPP access. 

Upon receipt of the Session Termination Answer message from the 3GPP AAA Server or from the 3GPP AAA Proxy, 
the PDN GVV' shall check the Result Code AVP, and in case of a DIAMETER_SUCCESS code, it shall release the 
context associated to the active session identified by the Session-Id parameter used in the initial authorization exchange. 



9.1.2.3.3 



3GPP AAA Server Detailed Behaviour 



Upon receipt of the Session Termination Request message from the PDN GW or from the 3GPP AAA Proxy, the 3GPP 
AAA Server shall check that there is an ongoing session associated to any of the parameters received in the message 
(Session-Id and User Name). 

If an active session is found, the 3GPP AAA Server shall release the session context associated to the specified session, 
and a Session Termination Answer message shall be sent to the PDN GW or 3GPP AAA Proxy, indicating 
DIAMETER_SUCCES S . 

If the Session-Id included in the request does not correspond with any active session, or if an active session is found but 
it does not belong to the user identified by the User Name parameter, then a Session Termination Answer message shall 
be sent to the PDN GW or 3GPP AAA Proxy, indicating DIAMETER_UNKNOWN_SESSION_ID. 



9.1.2.3.4 



3GPP AAA Proxy Detailed Behaviour 



The 3GPP AAA Proxy is required to handle roaming cases in which the PDN GW is located in the VPLMN. The 3GPP 
AAA Proxy shall act as a stateful proxy. 

On receipt of the Session Termination Request message from the PDN GW, the 3GPP AAA Proxy shall route the 
message to the 3GPP AAA Server. 

On receipt of the Session Termination Answer message from the 3GPP AAA Server, the 3GPP AAA Proxy shall route 
the message to the PDN GW, and it shall release any local resources associated to the specified sessions only if the 
result code is set to DIAMETER SUCCESS. 



9.1.2.4 



3GPP AAA Initiated Session Termination Procedures 



9.1.2.4.1 



General 



The S6b reference point allows the 3GPP AAA server to order a PDN GW to remove a PDN connection previously 
activated by the UE. 

This procedure shall be initiated by the 3GPP AAA server. This indicates to the PDN GW to remove the corresponding 
PDN connection (identified by Session-ID AVP and User-Name AVP). This procedure is based on the reuse of 
NASREQ IETF RFC 4005 [4] ASR, ASA, STR and STA commands. 

The 3GPP AAA Server shall include the Auth-Session-State AVP in the ASR command with a value of 
NO_STATE_MAINTAINED if it does not require a STR from the PDN GW. If it does require a STR from the PDN 
GW, the 3GPP AAA Server shall either omit the Auth-Session-State AVP from the ASR command or include the Auth- 
Session-State AVP in the ASR command with a value of STATE MAINTAINED. 
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Table 9.1.2.4.1/1 : S6b Abort Session Request 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent 
User Identity 


User-Name 


M 


This information element shall contain the identity of the user. 


Auth-Session- 
State 


Auth-Session- 
State 





If present, this information element shall indicate to the PDN GW whether 
the 3GPP AAA Server requires an SIR message. 



Table 9.1.2.4.1/2: S6b Abort Session Answer 



Information 
Element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for S6b errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 



Table 9.1.2.4.1/3: S6b Session Termination Request 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Termination- 
Cause 


Termination- 
Cause 


M 


This information element shall contain the reason why the 
session was terminated. It shall be set to 
"DIAMETER_ADMINISTRATIVE" to indicate that the 
session was terminated in response to an ASR message. 



Table 9.1.2.4.1/4: S6b Session Termination Answer 



Information 
element name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result-Code 


Result-Code 


M 


This IE shall indicate the result of the operation. 



9.1.2.4.2 



PDN GW Detailed Behaviour 



Upon receipt of the Abort Session Request message from the 3GPP AAA Server or from the 3GPP AAA Proxy, the 
PDN GW shall check that there is an ongoing session with the received session-ID. 

If an active session is found: 

In the PMIPv6 or GTPv2 or MIPv4 cases, the PDN GW shall release any resources associated with the identified 
diameter session, but it shall not terminate any associated PDN connection. 

In the DSMIPv6 case, the PDN GW shall initiate a termination procedure for the associated PDN connection, 
and shall release any resources associated with the identified diameter session. 

If the termination procedure is successful for the identified session, an Abort Session Answer message shall be sent to 
the 3GPP AAA Server or 3GPP AAA Proxy, indicating DIAMETER_SUCCESS. 

If the Session-Id included in the request does not correspond with any active session, or if an active session is found but 
it does not belong to the user identified by the User Name parameter, then an Abort Session Answer message shall be 
sent to the 3GPP AAA Server or 3GPP AAA Proxy, indicating DIAMETER_UNKNOWN_SESSION_ID. 

If the termination procedure for the identified session cannot be completed successfully, an Abort Session Answer 
message shall be sent to the 3GPP AAA Server or 3GPP AAA Proxy, indicating 
DIAMETER UNABLE TO COMPLY. 
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If the termination procedure was successful for the identified session and the STR is required by the 3GPP AAA Server, 
the PDN GW shall send an STR to the 3GPP AAA Server with the Termination-Cause set to 
DIAMETER_ADMINISTRATIVE. 

9.1 .2.4.3 3GPP AAA Server Detailed Behaviour 

The 3GPP AAA Server shall intiate a separate procedure for each active PDN connection of the user, even if the user 
has several PDN connections via the same PDN GW. 

Upon receipt of the Abort Session Answer message from the PDN GW or from the 3GPP AAA Proxy, the 3GPP AAA 
Server shall check the Result Code AVP, and in case of a DIAMETER_SUCCESS code, it shall release the context 
associated to the active session identified by the Session-Id parameter. 

If the error code DIAMETER_UNABLE_TO_COMPLY is received in the Result Code AVP, the 3GPP AAA Server 
shall not release the context for the identified session. 

If the error code DIAMETER_UNKNOWN_SESSION_ID is received in the Result Code AVP, the 3GPP AAA Server 
shall release the context for the identified session. 

On receipt of the STR from PDN GW, the 3GPP AAA Server shall return an STA command with the Result-Code set 
to DIAMETER_SUCCESS. 

9.1 .2.4.4 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy is required to handle roaming cases in which the PDN GW is located in the VPLMN. The 3GPP 
AAA Proxy shall act as a stateful proxy. 

On receipt of the Abort Session Request message from the 3GPP AAA Server, the 3GPP AAA Proxy shall route the 
message to the PDN GW. 

If the 3GPP AAA Proxy requires an STR but the 3GPP AAA Server does not, the 3GPP AAA Proxy may override the 
value of the Auth-Session-State in the ASR and set it to STATE_MAINTAINED. In this case, the 3GPP AAA Proxy 
shall not forward the STR received from the PDN GW onto the 3GPP AAA Server and shall return an STA command 
to the PDN GW with the Result-Code set to DIAMETER_SUCCESS. The 3GPP AAA Proxy shall not override the 
value of the Auth-Session-State AVP under any other circumstances. 

On receipt of the Abort Session Answer message from the PDN GW, the 3GPP AAA Proxy shall route the message to 
the 3GPP AAA Server, and it shall release any local resources associated to the specified session only if the result code 
is set to DIAMETER_SUCCESS. 

When the 3GPP AAA Proxy receives the STR from PDN GW, it shall route the request to the 3GPP AAA Server. On 
receipt of the STA message, the 3GPP AAA Proxy shall route the response to the PDN GW. 

9.1 .2.5 Service Authorization Information Update Procedures 

9.1.2.5.1 General 

The S6b reference point allows the 3GPP AAA server to modify the authorization information previously provided to 
the PDN GW, i.e. during Service Authentication and Authorization when using DSMIPv6, or Service Authorization 
using PMIPv6 or GTPv2 or MIPv4, or the service authorization information provided during a previous Service 
Authorization update. This procedure is triggered by the modification of the non-3GPP profile of the UE or by 
activating or deactivating subscriber and equipment trace in the HSS. This procedure is also triggered by the 
authentication and authorization via STa or SWm, when the 3GPP AAA Server detects that an S6b session already 
exists for the UE, as specified in section 5.1.2.1.2 and 7.1.2.1.2. In this case, the 3GPP AAA Server shall use this 
procedure to send the trust relationship to the PDN GW. 

The Service Authorization Information Update procedure is performed in two steps: 

1 . The 3GPP AAA server issues an unsolicited re-authentication and/or re-authorization request towards the PDN 
GW. Upon receipt of this request, the PDN GW responds to the request and indicates the disposition of the 
request. This procedure is based on the reuse of Diameter Base IETF RFC 3588 [7] RAR and RAA commands. 
The information element content for these messages is shown in tables 9.1.2.5.1/1 and 9.1.2.5.1/2. 
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2. After receiving the re-authorization request, the PDN GW invokes for the indicated APN. The authorization 
procedure for PMIPv6 or GTPv2 is described in the section 9.1.2.2 (Service Authorization). Tables 9.1.2.5.1/3 
and 9.1.2.5.1/4 describe the message contents in case of DSMlPv6. 

Table 9.1.2.5.1/1: S6b Re-authorization request 



Information 
Element Name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent User 
Identity 


User-Name 


M 


This information element shall contain the identity of the user 


Request Type 


Re-Auth-Request- 
Type 


M 


This shall defines whether re-authentication or re-authorization is 
required. AUTHORIZE ONLY shall be used in this case. 


Trust 

Relationship 

Update 


Trust- 

Relationship- 

Update 


C 


This shall indicate that this re-authorization procedure is only used for 
the 3GPP AAA Server to send the trust relationship to the PDN GW 
when the 3GPP AAA Server detects that an S6b session already 
exists for the UE and the S6b session was established as a result of 
an authentication request for DSIVIIPv6 during the authentication and 
authorization procedure via STa or SWm. 



Table 9.1.2.5.1/2: S6b Re-authorization response 



Information 
Element Name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Result 


Result-Code / 
Experimental- 
Result 


M 


This IE shall contain the result of the operation. 

The Result-Code AVP shall be used for errors defined in the Diameter Base 

Protocol. 

The Experimental-Result AVP shall be used for S6b errors. This is a 

grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 

AVP, and the error code in the Experimental-Result-Code AVP. 



Table 9.1.2.5.1/3: Authorization Request when using DSMIPv6 



Information 
Element Name 


Mapping to 
Diameter AVP 


Cat. 


Description 


User identity 


User-Name 


M 


This information element shall contain the identity of the user 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


This IE defines whether the UE is to be authenticated only, authorized 
only or both. AUTHORIZE ONLY shall be used in this case. 


PGW PLMN ID 


Visited-Network- 
Identifier 


C 


This IE shall contain the identifier that allows the home network to 
identify the PLMN where the PGW is located. 


Access Type 


RAT-Type 


M 


This IE shall contain the non-3GPP access network technology type 
that is serving the UE. 


PDN GW Identity 


IVIIP6 -Agent-info 


M 


This IE shall contain the FQDN and/or IP address(es) of the PDN GW 
that the user is connected to. 


APN 


Service-Selection 





This IE shall contain the Network Identifier part of the APN extracted 

from the IKEAUTH message. 

It shall include the APN that the user shall be connected to. It shall be 

only included if received from UE. In case it is not received, the 3GPP 

AAA server shall assign the received PDN-GW identity to the default 

APN. 


QoS capabilities 


QoS-Capability 


C 


If included in the request message, this IE shall indicate to the 3GPP 
AAA server that the PGW is capable of downloading a static OoS 
profile for the UE. The PGW shall include this IE only during UE the 
initial attach. 
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Table 9.1.2.5.1/4: Authorization Answer when using DSI\/IIPv6 



Information 
Element Name 


IVIapping to 
Diameter AVP 


Cat. 


Description 


Result Code 


Result-Code / 
Experimental- 
Result-Code 


M 


This IE shall contain the result of the operation. 
The Result-Code AVP shall be used for errors defined in the Diameter 
Base Protocol or as per in NASREQ. 1xxx should be used for multi- 
round, 2xxx for success. 

The Experimental-Result AVP shall be used for S6b errors. This is a 
grouped AVP which shall contain the 3GPP Vendor ID in the Vendor-Id 
AVP, and the error code in the Experimental-Result-Code AVP. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE_ONLY. See IETF RFC 4072 [5]. 


Current User 
Identity 


Mobile-Node- 
Identifier 


M 


This IE shall contain the UE identity in EPS. 


APN and PGW 
Data 


APN- 
Configuration 


C 


This information element shall only be sent if the Result-Code AVP is 

set to DIAMETER_SUCCESS. 

This AVP shall contain the default APN, the list of authorized APNs, 

and user profile information. 

The APN-Configuration is a grouped AVP and shall include the 

following information elements per APN: 

-APN 

- Authorized 3GPP QoS profile 

- Statically allocated User IP Address (IPv4 and/or IPv6) 

- VPLMN Dynamic Address Allowed. 

This information element might not be present if the authorization 
procedure is triggered by the 3GPP AAA Server to send the trust 
relationship to the PDN GW. 


Session Time 


Session-Timeout 


C 


If the authentication and authorization succeeded, then this IE shall 
contain the time this authorization is valid for. 
This information element might not be present if the authorization 
procedure is triggered by the 3GPP AAA Server to send the trust 
relationship to the PDN GW. 


QoS resources 


QoS-Resources 


c 


If the authentication and authorization succeeded, then the 3GPP AAA 

server shall include a static QoS profile in this IE during the UE initial 

attach if the PGW included QoS-Capabilities AVP in the request 

message and the UE has been provisioned with a static QoS profile. 

The QoS profile template value in this IE shall be set to 0. 

This IE shall contain the QoS Profile authorized by the 3GPP AAA 

server for the requested APN based on the subscribed QoS 

parameters. 

This information element might not be present if the authorization 

procedure is triggered by the 3GPP AAA Server to send the trust 

relationship to the PDN GW. 


Trace information 


Trace-Info 


c 


This AVP shall be included if the subscriber and equipment trace has 

been activated or deactivated for the user in the HSS and signaling 

based activation is used to download the trace (de)activation from the 

HSS to the PDN GW. 

Trace-data AVP shall be included (directly under the Trace-Info) if 

trace activation is requested 

Trace-Reference AVP shall be included, if trace deactivation is 

requested. 

If the Trace-Data AVP is included, it shall contain the following AVPs: 

- Trace-Reference 

- Trace-Depth 

- Trace-Event-List 

- Trace-Collection-Entity 

The following AVPs may also be included in the Trace-Data AVP: 

- Trace-Interface-List: if this AVP is not present, trace report generation 
is requested for all interfaces listed in 3GPP TS 32.422 [32] 

- Trace-NE-Type-List, with the only allowed value being "PDN GW (3)". 
If this AVP is not included, trace activation in PDN GW is required. 
This information element might not be present if the authorization 
procedure is triggered by the 3GPP AAA Server to send the trust 
relationship to the PDN GW. 



£75/ 



3GPP TS 29.273 version 10.7.0 Release 10 



101 



ETSI TS 129 273 VI 0.7.0 (2012-10) 



Trust 

Relationship 

Indicator 


AN-Trusted 


C 


This AVP shall contain the 3GPP AAA Server's decision on handling 
the non-3GPP access network, i.e. trusted, or untrusted. 
This AVP shall be sent if this re-authorization procedure is triggered by 
the authentication and authorization via STa or SWm, when the 3GPP 
AAA Server detects that an S6b session already exists for the UE and 
the S6b session was established as a result of an authentication 
request for DSIVIIPv6. 



9.1.2.5.2 



Detailed Behaviour 



The 3GPP AAA server shall make use of this procedure in two steps to indicate and update relevant service 
authorization information in the PDN GW. 

The 3GPP AAA server shall send a re-authorization request for all authorization sessions that are active for the user. 

Each PDN GW, upon reception of an unsolicited re-authentication and/or re-authorization request shall perform the 
following check and if there is an error detected, the PDN GW shall stop processing and return the corresponding error 
code. 

Check the Re-Auth-Request-Type AVP: 

1 . If it indicates AUTHENTICATE_ONLY, Result-Code shall be set to DIAMETER_INVALID_AVP_VALUE. 

2. If it indicates AUTHORIZE_ONLY, then, depending on the used IP mobility protocol 

In case of PMIPv6 or GTPv2, the PDN GW shall perform an authorization procedure as described in section 

9.1.2.2. 

In case of DSMIPv6, the PDN GW shall perform an authorization procedure, sending an authorization 
request described in Tables 9.1.5.1/3 and 9.1.5.1/4. If the Trust-Relationship-Update AVP is present in the 
request, the PDN GW may send an authorization request with only mandatory AVPs. 

3. If it indicates AUTHORIZE_AUTHENTICATE, Result-Code shall be set to 
DIAMETER_INVALID_AVP_VALUE. 

When receiving the authorization request, if the authorization procedure is triggered by the 3GPP AAA Server to send 
the trust relationship to the PDN GW, the 3GPP AAA Server shall send the trust relationship of the access network for 
the subscriber to the PDN GW with Result-Code DIAMETER_SUCCESS. Otherwise, the 3GPP AAA Server shall 
check, whether 

the subscriber still has non-3GPP subscription to access EPC network 

the non-3GPP APNs are enabled for the user, and 

the updated user profile contains the APN, for which the given authorization session was created. 

If any of the checked conditions are not met, the 3GPP AAA Server shall set the Result-Code to 
DIAMETER_AUTHORIZATION_REJECTED. Otherwise, it shall respond with Result-Code 
DIAMETER_SUCCES S . 

After successful service authorization information update procedure, the PDN GW shall overwrite the stored user and 
APN data, for the subscriber identity indicated in the request, with the information received from the 3GPP AAA 
server. A session termination shall be initiated if the subscriber is no longer authorized to use the activated APN. If only 
trust relationship of the access network is received, the PDN GW shall keep all stored user and APN data for the 
subscriber identity as indicated in the request. 

For PMIPv6 based S2b, if Trace-Info AVP including Trace-Data has been received in the authorization response, the 
PDN GW shall start a trace session for the user. If Trace-Info including Trace-Reference (directly under the Trace-Info) 
has been received in the authorization response, the PDN GW shall stop the ongoing trace session, identified by the 
Trace-Reference. For details, see 3GPP TS 32.422 [32]. 

For GTPv2 based S2b, the PDN GW shall ignore the Trace-Info AVP if received in the authorization response. 

NOTE: For GTPv2 based S2b, trace is activated and deactivated via the SWm and GTPv2 based S2b interfaces. 
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9.1.2.6 



Authorization Procedures when using MIPv4 FACoA 



9.1.2.6.1 General 

The following authorization procedures take place upon a reception of a RRQ at the PDN GW from the FA. 

The PDN GW shall update its address information to the 3GPP AAA Server and HSS. Static QoS profile information 
may also be downloaded at the same time. 

MIPv4 security parameters shall be exchanged between the PDN GW and the 3GPP AAA Server. 

The procedures are based on the reuse of NASREQ IETF RFC 4005 [4] AAR and AAA commands. 

Table 9.1.2.6.1/1: Authorization request 



Information 
Element Name 


Mapping to 
Diameter AVP 


Cat. 


Description 


Permanent User 
Identity 


User-Name 


M 


This IE shall contain the NAI identifier of the UE as specified in 3GPP 
TS 23.003 [14]. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


This IE shall define whether the UE is to be authenticated only, 
authorized only or both. AUTHORIZE_ONLY shall be used in this 
case. 


PDN GW Identity 


IVIIP6-Agent-lnfo 





This IE shall contain the address and possibly the FQDN of the 
selected PDN GW for the UE and the corresponding PDN connection 


PGW PLMN ID 


Visited-Network- 
Identifier 





This IE shall contain the identifier that allows the home network to 
identify the PLMN where the PGW is located. 


IVIobility features 


IVIIP6-Feature- 
Vector 


M 


This IE shall contain the mobility features used by the PDN GW. The 
MIP4 SUPPORTED flag shall be set 


APN 


Service-Selection 





If present this IE shall contain the Network Identifier part of the APN 
extracted from the RRQ message. In case it is not received, the 3GPP 
AAA Server shall assign the received PDN-GW identity to the default 
APN. 


QoS capabilities 


QoS-Capability 





If included in the request message, this IE shall indicate to the 3GPP 
AAA Server that the PDN GW requests downloading of a static QoS 
profile for the UE. The PDN GW may include this IE only at the initial 
attach of the UE. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 


IVIN-HA security 
parameter index 


MIP-MN-HA-SPI 





This IE shall contain the MN-HA security parameter index which is 
used in identifying IVIN-HA shared key as defined by 3GPP TS 33.402 
[19]. It shall be included when the PDN-GW does not have the MN-HA 
shared key required to verify the MIPv4 RRQ message. 
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Table 9.1.2.6.1/2: Authorization answer 



Information 
Element Name 


IVIapping to 
Diameter AVP 


Cat. 


Description 


Result code 


Result-Code 


M 


This IE shall contain the result of the operation. The possible values of 
the Result-Code AVP are defined in IETF RFC 3588 [7]. This IE shall 
be set to DIAIVIETER_SUCCESS if the authorization of a IVIAG or the 
update to the PDN GW address succeeded. It shall be set to 
DIAMETER_AUTHORIZATION_REJECTED is the authorization of a 
new IVIAG or the update of the PDN GW address failed. 


Authentication 
Request Type 


Auth-Request- 
Type 


M 


It shall contain the value AUTHORIZE_ONLY. See IETF RFC 4072 [5]. 


Authorized 
mobility features 


MIP6-Feature- 
Vector 


C 


The 3GPP AAA Server shall insert this AVP if the authorization was 
successful. The MIP4 SUPPORTED flag shall be set. 


Session time 


Session-Timeout 


C 


If the authorization succeeded, then this IE shall contain the time this 
authorization is valid for. 


QoS resources 


QoS-Resources 





This AVP shall be included only if the QoS-Capability AVP was 
received in the authorization request and the authorization succeeded. 
Then the 3GPP AAA Server shall include a static QoS profile in this IE 
during the UE initial attach if the PDN GW included QoS-Capabilities 
AVP in the request message and the UE has been provisioned with a 
static QoS profile. The QoS profile template value in this IE shall be set 
too. 


3GPP AAA 
Server Name 


Redirect-Host 


c 


This information element shall be sent if the Result-Code value is set 
to DIAMETER_REDIRECT_INDICATION. When the user has 
previously been authenticated by another 3GPP AAA Server, it shall 
contain the Diameter identity of the 3GPP AAA Server currently 
serving the user. The node receiving this IE shall behave as defined in 
the Diameter Base Protocol (IETF RFC 3588 [7]). The command shall 
contain zero or one occurrence of this information element. 


Supported 
Features 
(See 3GPP TS 
29.229 [24]) 


Supported- 
Features 





If present, this information element shall contain the list of features 
supported by the origin host for the lifetime of the Diameter session. 


MN-HA shared 
key 


MIP-Session-Key 


c 


This information element contains the IVIN-HA shared key as defined 
by 3GPP TS 33.402 [19], it shall be included if the Result-Code value 
is set to DIAMETER_SUCCESS and the MIP-MN-HA-SPI was sent in 
the authorization request.. 


APN Data 


APN- 
Configuration 


c 


This information element shall only be sent if the Result-Code AVP is 

set to DIAMETER_SUCCESS. 

This AVP shall contain the user profile information. 

APN-Configuration is a grouped AVP and shall include the following 

information elements: 

-APN 

- Authorized 3GPP QoS profile 

- APN-AMBR 



9.1.2.6.2 



PDN GW Detailed Behaviour 



Upon receipt of a RRQ message from the FA, the PDN GW shall initiate an authorization procedure, by sending an 
Authorization Request message to the 3GPP AAA Server or to the 3GPP AAA Proxy, with the Auth-Request-Type set 
to AUTHORIZE_ONLY, in order to update the PGW Address for the APN, as well as to download any UE specific 
APN profile information such as IP address allocation information, QoS Information, Session timeouts. Session Idle 
timeouts, MIPv4 security parameters etc. 

If the APN was included in the RRQ message, the PDN GW shall include in the request the APN where the user shall 
be connected. 

The PDN GW Identity shall only be included in the initial request to the 3GPP AAA Server; subsequent authorization 
messages (due to a handover to a different FA, for instance) shall not include it again. 

If the PDN GW does not have a MN-HA shared key associated with the SPI received in the RRQ MN-HA-AE, the 
PDN GW shall include the SPI in the Authorization Request to the 3GPP AAA Server. 
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After successful reception of the Authorization Request message, the PDN GW shall check that the Result-Code is set 
to DIAMETER_SUCCESS and, if so, it shall use the MN-HA key to verify the MN-HA AE of the RRQ received from 
the FA. 

If the PDN-GW successfully verifies the MN-HA- AE it shall proceed to connect the user to the specified APN, and will 
send the RRP message to the FA. 

9.1 .2.6.3 3GPP AAA Server Detailed Behaviour 

Upon receipt of the Authorization Request message from the PDN GW, the 3GPP AAA Server shall update the PDN 
GW information for the APN for the UE on the HSS. If the APN was not received from the PDN GW the 3GPP AAA 
Server shall assign the received PDN-GW identity to the default APN . 

The 3GPP AAA Server must check that the user exists. If the user's data exists in the 3GPP AAA Server, it shall check, 
whether it also has an active access authorization session for the user. 

If not, the 3GPP AAA Server shall reject the authorization request, including the Result-Code 
DIAMETER_AUTHORIZATION_REJECTED. 

If the 3GPP AAA Server has an existing authorization session, 

- If the APN requested by the PDN GW is included in the list of authorized APNs of the user, then the 3GPP 
AAA Server shall include the Service-Selection AVP in the authorization answer. If no APN was requested 
the Service-Selection AVP shall contain the default APN. 

If the MN-HA-SPI was included in the request and it matches the SPI belonging to a S A of the user then 
the 3GPP AAA Server shall include the MIP-Session-Key of the SA in the authorization answer and set 
the Result-Code to DIAMETER_SUCCESS. 

If the MN-HA-SPI was included in the request and there is no match with a SPI belonging to a S A of the 
user then the status code DIAMETER. AUTHORIZATION_REJECTED shall be returned to the PDN 
GW to indicate an unsuccessful authorization. 

If the APN requested by the PDN GW is not included in the list of authorized APNs, then the status code 
DIAMETER_AUTHORIZATION_REJECTED shall be returned to the PDN GW to indicate an unsuccessful 
authorization. 

If the user's profile does not exist in the 3GPP AAA Server, it shall retrieve the Diameter identity of the 3GPP AAA 
Server currently serving the user from the HSS following the procedures for subscriber profile download as specified in 
section 8.1.2.2.2. Depending on the HSS response. 

If the HSS indicates that the user is currently being served by a different 3GPP AAA Server, the 3GPP AAA 
Server shall respond to the PDG-GW with the Result-Code set to DIAMETER_REDIRECT_INDICATION and 
Redirect-Host set to the Diameter identity of the 3GPP AAA Server currently serving the user (as indicated in 
the 3GPP-AAA-Server-Name AVP returned in the SWx authentication response from the HSS). 

- If the HSS returns DIAMETER_ERROR_USER_UNKNOWN, the 3GPP AAA Server shall return the same 
error to the PDN GW. 

If the HSS sends the user's profile to the 3GPP AAA Server, the authorization shall be rejected by setting the 
Result-Code to DIAMETER_AUTHORIZATION_REJECTED. The 3GPP AAA Server shall delete the 
downloaded user profile. 

NOTE: The last outcome corresponds to the case that the user has no active access authorization procedure. This 
is considered as an error situation, e.g. the Trusted Non-3GPP GW may have sent RRQ without 
authorizing the user. 

9.1 .2.6.4 3GPP AAA Proxy Detailed Behaviour 

The 3GPP AAA Proxy is required to handle roaming cases in which the PDN GW is located in the VPLMN. The 3GPP 
AAA Proxy shall act as a stateful proxy. 
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On receipt of the authorization answer, the 3GPP AAA Proxy 

shall check locally configured information for the maximum allowed static QoS parameters valid for visitors 
from the given HPLMN and modify the QoS parameters received from the 3GPP AAA Server, to enforce the 
policy limitations. 

shall record the state of the connection (i.e. Authorization Successful). 

9.2 Protocol Specification 

9.2.1 General 

The S6b reference point shall be based on Diameter, as defined in IETF RFC 3588 [7] and contain the following 
additions and extensions: 

IETF RFC 4005 [4], which defines a Diameter protocol application used for Authentication, Authorization 
and Accounting (AAA) services in the Network Access Server (NAS) environment. 

IETF RFC 5779 [2], which defines a Diameter extensions and application for PMIPv6 MAG to AAA and 
LMA to AAA interfaces. 

IETF RFC 5777 [9], which defines attribute value pairs to convey QoS information between Diameter peers. 

The PDN GW to 3GPP AAA server or the PDN GW to 3GPP AAA proxy communication shall use the LMA to AAA 
interface functionality defined in IETF RFC 5779 [2] to update the 3GPP AAA server with PDN GW identity, indicate 
the protocol selected on S2b and optionally to retrieve mobility related parameters and static QoS profiles, when 
PMIPv6 based S2a or PMIPv6 based S2b or GTPv2 based S2b is used. 

The PDN-GW acts as a LMA when the UE attaches to the EPC using the S2a or S2b reference points, and PMIPv6 is 
used. The PDN GW also follows the LMA to AAA interface functionality defined in IETF RFC 5779 [2] when UE 
attaches to the EPC using S2b reference point and GTPv2 is used. The PDN GW acts as HA when the UE attaches to 
the EPC using the S2a reference point and MIPv4 is used. 

In the case the UE attached to the EPC using the S2c reference point, then the communication between the PDN GW 
and HA, IETF RFC 5778 [11] shall be used. The Application Id to be advertised over the S6b reference point 
corresponds to the DSMIPv6 "Diameter Mobile IPv6 IKE (MIP6I)" Application Id as defined in IETF RFC 5778 [11]. 

IKEv2 EAP-based initiator authentication is used for authenticating and authorizing the UE and updating the PDN-GW 
identity. In this case, the PDN GW or HA shall act as the NAS, as described in 3GPP TS 33.234 [10]. 

9.2.2 Commands 

9.2.2.1 Commands for S6b DSMIPvS Authorization Procedures 

9.2.2.1 .1 Diameter-EAP-Request (DER) Command 

The Diameter-EAP-Request (DER) command, indicated by the Command-Code field set to 268 and the "R" bit set in 
the Command Flags field, is sent from a PGW to a 3GPP AAA server. The Command Code value and the ABNF are re- 
used fi-om the IETF RFC 5778 [11]. 
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< Diameter-EAP-Request > ::= < Diameter Header: 268, REQ, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-Id } 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Auth-Request-Type } 

[ RAT-Type ] 

[ User-Name ] 

[ Service-Selection ] 

{ EAP-Payload } 

[ MIP6-Feature-Vector ] 

[ MIP6-Agent-Info ] 

[ QoS-Capability ] 

[ Visited-Network-Identifier ] 

*[ Supported-Features ] 

*[ AVP ] 

9.2.2.1 .2 Diameter-EAP-Answer (DEA) Command 

The Diameter-EAP-Answer (DEA) command, indicated by the Command-Code field set to 268 and the "R" bit cleared 
in the Command Flags field, is sent from a 3GPP AAA server to a PGW. The Command Code value and the ABNF are 
re-used from the IETF RFC 5778 [11]. 

<Diameter-EAP-Answer> ::= < Diameter Header: 268, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-Id } 

{ Auth-Request-Type } 

{ Result-Code } 

{ Origin-Host } 

{ Origin-Realm } 

[ User-Name ] 

[ EAP-Payload ] 

[ EAP -Master-Session-Key ] 

[ Mobile-Node-Identifier ] 

[ APN-Configuration ] 

[ MIP6-Agent-Info ] 

[ MIP6-Feature-Vector ] 

[ 3GPP-Charging-Characteristics ] 

*[ QoS-Resources ] 

*[ Redirect-Host ] 

[ Trace-Info ] 

*[ Supported-Features ] 

*[ AVP ] 



9.2.2.2 Commands for S6b PMIPv6 or GTPv2 Authorization Procedures 

9.2.2.2.1 AA-Request (AAR) Command 

The AA-Request (AAR) command, indicated by the Command-Code field set to 265 and the "R" bit set in the 
Command Flags field, is sent from a PDN GW to a 3GPP AAA server. The Command Code value and ABNF are re- 
used from the IETF RFC 4005 [4] AA-Request command. New AVPs are added using the *[AVP] extension 
mechanism in the original ABNF. 
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<AA-Request> ::= < Diameter Header: 265, REQ, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-Id } 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Auth-Request-Type } 

[ User-Name ] 

[ MlP6-Agent-lnfo ] 

[ MlP6-Feature-Vector ] 

[ Visited-Network-ldentifier ] 

[ QoS -Capability ] 

[ Service-Selection ] 

*[ Supported-Features ] 

*[ AVP ] 

9.2.2.2.2 AA-Answer (AAA) Command 

The AA-Answer (AAA) command, indicated by the Command-Code field set to 265 and the "R" bit cleared in the 
Command Flags field, is sent from a 3GPP AAA server to a PDN GW. The Command Code value and ABNF are re- 
used from the IETF RFC 4005 [4] AA-Answer command. New AVPs are added using the *[AVP] extension 
mechanism in the original ABNF. 

<AA-Answer> ::= < Diameter Header: 265, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-ld } 
{ Auth-Request-Type } 
{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 

[ MIP6-Feature-Vector ] 
[ Session-Timeout ] 
[ APN-Configuration ] 
[ QoS-Resources ] 
[ AN-Trusted ] 
*[ Redirect-Host ] 
[ Trace-Info ] 
*[ Supported-Features ] 

*[ AVP ] 

9.2.2.3 Commands for PDN GW Initiated Session Termination 

9.2.2.3.1 Session-Termination-Request (STR) Command 

The Session-Termination-Request (STR) command, indicated by the Command-Code field set to 275 and the "R" bit set 
in the Command Flags field, is sent from a PDN GW to a 3GPP AAA server. The Command Code value and ABNF are 
re-used from the IETF RFC 3588 [7] Session-Termination-Request command. New AVPs are added using the *[AVP] 
extension mechanism in the original ABNF. 
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<Session-Termination-Request> ::= < Diameter Header: 275, REQ, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-Id } 
{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Termination-Cause } 
[ User-Name ] 

*[ AVP ] 

9.2.2.3.2 Session-Termination-Answer (STA) Command 

The Session-Termination- Answer (STA) command, indicated by the Command-Code field set to 275 and the "R" bit 
cleared in the Command Flags field, is sent from a 3GPP AAA server to a PDN GW. The Command Code value and 
ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Answer command. 

<Session-Termination-Answer> ::= < Diameter Header: 275, PXY, 16777272 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 

*[ AVP ] 

9.2.2.4 Commands for 3GPP AAA Server Initiated Session Termination 

9.2.2.4.1 Abort-Session-Request (ASR) Command 

The Abort-Session-Request (ASR) command, indicated by the Command-Code field set to 274 and the "R" bit set in the 
Command Flags field, is sent from a 3GPP AAA Server/Proxy to a PDN GW. The ABNF is based on the one in IETF 
RFC 4005 [4]. 

< Abort-Session-Request > ::= < Diameter Header: 274, REQ, PXY, 16777272 > 

< Session-Id > 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Destination-Host } 

{ Auth-Application-Id } 

[ User-Name ] 

[ Auth-Session-State ] 

*[ AVP ] 

9.2.2.4.2 Abort-Session-Answer (ASA) Command 

The Abort-Session- Answer (ASA) command, indicated by the Command-Code field set to 274 and the "R" bit cleared 
in the Command Flags field, is sent from a PDN GW to a 3GPP AAA Server/Proxy. The ABNF is based on the one in 
IETF RFC 4005 [4]. 

< Abort-Session-Answer > ::= < Diameter Header: 274, PXY, 16777272 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 

*[ AVP ] 
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9.2.2.4.3 Session-Termination-Request (STR) Command 

The Session-Termination-Request (STR) command, indicated by the Command-Code field set to 275 and the "R" 
bit set in the Command Flags field, is sent from an PDN GW to a 3GPP AAA Server/Proxy. The Command Code value 
and ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Request command. 

<Session-Termination-Request> ::= < Diameter Header: 275, REQ, PXY, 16777272 > 

< Session-Id > 

{ Origin-Host } 
{ Origin-Realm } 
{ Destination-Realm } 
{ Auth- Application-Id } 
{ Termination-Cause } 
[ User-Name ] 

*[ AVP ] 

9.2.2.4.4 Session-Termination-Answer (STA) Command 

The Session-Termination- Answer (STA) command, indicated by the Command-Code field set to 275 and the "R" bit 
cleared in the Command Flags field, is sent from a 3GPP AAA Server/Proxy to an PDN GW. The Command Code 
value and ABNF are re-used from the IETF RFC 3588 [7] Session-Termination-Answer command. 

<Session-Termination-Answer> ::= < Diameter Header: 275, PXY, 16777272 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 
*[ AVP ] 

9.2.2.5 Commands for S6b MIPv4 FACoA Authorization Procedures 

9.2.2.5.1 AA-Request (AAR) Command 

The AA-Request (AAR) command, indicated by the Command-Code field set to 265 and the "R" bit set in the 
Command Flags field, is sent from a PDN GW to a 3GPP AAA Server. The Command Code value and ABNF are re- 
used from the IETF RFC 4005 [4] AA-Request command. New AVPs are added using the *[AVP] extension 
mechanism in the original ABNF. 

<AA-Request> ::= < Diameter Header: 265, REQ, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-Id } 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Auth-Request-Type } 

[ User-Name ] 

[ MIP6-Agent-Info ] 

[ MIP6-Feature-Vector ] 

[ Visited-Network-Identifier ] 

[ QoS-CapabiHty ] 

[ Service-Selection ] 

*[ Supported-Features ] 

[MIP-MN-HA-SPI] 

*[ AVP ] 

9.2.2.5.2 AA-Answer (AAA) Command 

The AA-Answer (AAA) command, indicated by the Command-Code field set to 265 and the "R" bit cleared in the 
Command Flags field, is sent from a 3GPP AAA Server to a PDN GW. The Command Code value and ABNF are re- 
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used from the IETF RFC 4005 [4] AA-Answer command. New AVPs are added using the *[AVP] extension 
mechanism in the original ABNF. 



<AA-Answer> ::= 



< Diameter Header: 265, PXY, 16777272 > 

< Session-Id > 

{ Auth-Application-Id } 
{ Auth-Request-Type } 
{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 



[ MIP6-Feature-Vector ] 
[ Session-Timeout ] 
[ APN-Configuration ] 
[ QoS-Resources ] 
*[ Redirect-Host ] 
*[ Supported-Features ] 
[MIP-Session-Key] 

*[ AVP ] 



9.2.2.6 



Commands for S6b Service Authorization Information Update Procedures 



9.2.2.6.1 



Re-Auth-Request (RAR) Command 



The Diameter Re-Auth-Request (RAR) command shall be indicated by the Command-Code field set to 258 and the "R" 
bit set in the Command Flags field and is sent from a 3GPP AAA Server or 3GPP AAA Proxy to a PDN-GW. The 
ABNF for the RAR command shall be as follows: 



< Re-Auth-Request > ::= 



< Diameter Header: 258, REQ, PXY, 16777272 > 

< Session-Id > 

{ Origin-Host } 

{ Origin-Realm } 

{ Destination-Realm } 

{ Destination-Host } 

{ Auth-Application-Id } 

{ Re-Auth-Request-Type } 

[ User-Name ] 

[ Trust-Relationship-Update ] 



9.2.2.6.2 



*[ AVP ] 

Re-Auth-Answer (RAA) Command 



The Diameter Re-Auth-Answer (ASA) command shall be indicated by the Command-Code field set to 258 and the "R" 
bit cleared in the Command Flags field and is sent from a PDN-GW to a 3GPP AAA Server or 3GPP AAA Proxy. The 
ABNF for the RAA commands shall be as follows: 
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< Re- Auth- Answer > ::= 



9.2.3 Information Elements 



< Diameter Header: 258, PXY, 16777272 > 

< Session-Id > 

{ Result-Code } 
{ Origin-Host } 
{ Origin-Realm } 
[ User-Name ] 

*[ AVP ] 



9.2.3.1 



S6b DSMIPvS procedures 



9.2.3.1.1 



General 



The following table describes the Diameter AVPs defined for the S6b interface protocol in DSMIPv6 mode, their AVP 
Code values, types, possible flag values and whether or not the AVP may be encrypted. 

Table 9.2.3.1 .1/1 : Diameter S6b AVPs for DSMIPv6 











AVP Flag rules 




Attribute Name 


AVP Code 


Section defined 


Value Type 


Must 


May 


Should not 


Must not 


May Encr. 


MIP6-Agent-lnfo 


486 


9.2.3.2.2 


Grouped 


M 






V 


No 


MIP6-Feature-Vector 


124 


9.2.3.2.3 


Unsigned64 


M 






V 


No 


Visited-Network-ldentifier 


600 


9.2.3.1.2 


OctetString 


M, V 








No 


Trust-Relationship-Update 


1515 


9.2.3.1.4 


Enumerated 


V 






M 


No 


QoS-Capability 


578 


9.2.3.2.4 


Grouped 


M 






V 


No 


QoS-Resources 


508 


9.2.3.2.5 


Grouped 


M 






V 


No 


Trace-Info 


1505 


8.2.3.13 


Grouped 


V 






M 


No 


Service-Selection 


493 


5.2.3.5 


UTF8String 


M 






V 


No 



9.2.3.1.2 



Visited-Network-ldentifier 



The Visited-Network-ldentifier AVP contains an identifier that helps the home network to identify the visited network 
(e.g. the visited network domain name). The Vendor-Id shall be set to 10415 (3GPP). 

The AVP shall be encoded as: 

mnc<MNC>.mcc<MCC>.3gppnetwork.org 

9.2.3.1.3 Void 



9.2.3.1.4 



Trust-Relationship-Update 



The Trust-Relationship-Update AVP is of type Enumerated. It contains an indicator that the correpsonding procedure is 
only used for the 3GPP AAA Server to send the trust relationship to the PDN GW, and the PDN GW shall not perform 
any authorization procedure towards the UE. The Vendor-Id shall be set to 10415 (3GPP). The following values are 
defined: 

REQUEST_UPDATE (1) 

Any other values not defined above are equivalent to this AVP not being present. 



9.2.3.2 



S6b PMIPv6 or GTPv2 procedures 



9.2.3.2.1 



General 



The following table describes the Diameter AVPs defined for the S6b interface protocol in PMIPv6 or GTPv2 mode, 
their AVP Code values, types, possible flag values and whether or not the AVP may be encrypted. 
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Table 9.2.3.2.1/1 : Diameter S6b AVPs for PMIPv6 or GTPv2 











AVP Flag rules 




Attribute Name 


AVP Code 


Section defined 


Value Type 


Must 


May 


Should not 


Must not 


May Encr. 


MIP6-Agent-lnfo 


486 


9.2.3.2.2 


Grouped 


M 






V 


No 


MIP6-Feature-Vector 


124 


9.2.3.2.3 


Unsigned64 


M 






V 


No 


QoS-Capability 


578 


9.2.3.2.4 


Grouped 


M 






V 


No 


QoS-Resources 


508 


9.2.3.2.5 


Grouped 


M 






V 


No 


Trace-Info 


1505 


8.2.3.13 


Grouped 


V 






M 


No 


Service-Selection 


493 


5.2.3.5 


UTF8String 


M 






V 


No 



9.2.3.2.2 



MIP6-Agent-lnfo 



The MIP6-Agent-Info AVP contains the PDN GW identity or (for the chained S2 - PMIP based S8 case) the Serving 
GW address information. This AVP is defined in IETF RFC 5447 [6]. The identity of PDN GW is either an IP address 
transported in MIP-Home-Agent- Address or an FQDN transported in MIP-Home-Agent-Host. The PDN GW may use 
its IP address if a single IP address can be used for all Access Networks and protocols towards the PDN GW. In all 
other cases the PDN GW shall use its FQDN. MAG/AAA/HSS shall use FQDN if known. The grouped AVP has the 
following grammar: 



MIP6- Agent-Info ::= 



< AVP Header: 486 > 
*2[ MIP -Home-Agent-Address ] 
[ MIP-Home-Agent-Host ] 
[ MIP6-Home-Link-Prefix ] 
*[ AVP ] 



9.2.3.2.3 



MIP6-Feature- Vector 



The MIP6-Feature- Vector AVP contains a 64 bit flags field of supported mobility capabilities of the NAS. This AVP is 
defined in IETF RFC 5447 [6]. The NAS may include this AVP in a request message to indicate the mobility 
capabilities of the NAS to the 3GPP AAA server. Similarly, the Diameter server may include this AVP in an answer 
message to inform the NAS about which of the NAS indicated capabilities are supported or authorized by the 3GPP 
AAA Server. 

Following capabilities are supported on S6b reference point in PMIPv6 or GTPv2 mode: 

- PMIP6_SUPPORTED 

- IP4_HOA_SUPPORTED 

- GTPv2_SUPPORTED 



9.2.3.2.4 



QoS-Capability 



The QoS-Capability AVP contains a list of supported Quality of Service profile templates (and therefore the support of 
the respective parameter AVPs). This AVP is defined in IETF RFC 5777 [9]. 



9.2.3.2.5 



QoS-Resources 



The QoS-Resources AVP includes a description of the Quality of Service resources for policing traffic flows. This AVP 
is defined in IETF RFC 5777 [9]. 



9.2.3.3 



S6b Re-used Diameter AVPs 



Table 9.2.3.3/1 : S6b re-used Diameter AVPs 



Attribute Name 


Reference 


Comments 


Supported-Features 


3GPP TS 29.229 [24] 




Feature-List-ID 


3GPP TS 29.229 [24] 


See section 9.2.3.4 


Feature-List 


3GPP TS 29.229 [24] 


See section 9.2.3.5 
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9.2.3.4 Feature-List-ID AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. For this release, the Feature-List-ID AVP value shall be set 
to 1 for the S6b application. 

9.2.3.5 Feature-List AVP 

The syntax of this AVP is defined in 3GPP TS 29.229 [24]. A null value indicates that there is no feature used by the 
S6b application. 

NOTE: There are no S6b features defined for this release. 



9.2.3.6 



S6b l\/ilPv4 FACoA procedures 



9.2.3.6.1 



General 



The following table describes the Diameter AVPs defined for the S6b interface protocol in MIPv4 mode, their AVP 
Code values, types, possible flag values and whether or not the AVP may be encrypted. 

Table 9.2.3.6.1/1 : Diameter S6b AVPs for MIPv4 FACoA 











AVP Flag rules 




Attribute Name 


AVP Code 


Section defined 


Value Type 


Must 


May 


Should not 


Must not 


May Encr. 


MIP6-Agent-lnfo 


486 


9.2.3.6.2 


Grouped 


M 






V 


No 


MIP6-Feature-Vector 


124 


9.2.3.6.3 


Unsigned64 


M 






V 


No 


QoS-Capability 


578 


9.2.3.6.4 


Grouped 


M 






V 


No 


QoS-Resources 


508 


9.2.3.6.5 


Grouped 


M 






V 


No 


MIP-MN-HA-SPI 


491 


9.2.3.6.6 


Unsigned32 


M 


P 




V 


Y 


MIP-Session-Key 


343 


9.2.3.6.7 


OctetString 


M 


P 




V 


Y 


Service-Selection 


493 


5.2.3.5 


UTF8String 


M 






V 


No 



9.2.3.6.2 



MIP6-Agent-lnfo 



The MIP6- Agent-Info AVP contains the PDN GW identity. This AVP is defined in IETF RFC 5447 [6]. The identity of 
PDN GW is either an IP address transported in MIP -Home-Agent-Address or an FQDN transported in MIP-Home- 
Agent-Host. The PDN GW may use its IP address if a single IP address can be used for all Access Networks and 
protocols towards the PDN GW. In all other cases the PDN GW shall use its FQDN. The FA/3GPP AAA Server/HSS 
shall use FQDN if known. The grouped AVP has the following grammar: 



MIP6- Agent-Info ::= 



< AVP Header: 486 > 
*2[ MIP -Home-Agent-Address ] 
[ MIP -Home-Agent-Host ] 
[ MIP6-Home-Link-Prefix ] 
*[ AVP ] 



9.2.3.6.3 



MIP6-Feature-Vector 



The MIP6-Feature-Vector AVP contains a 64 bit flags field of supported mobility capabilities of the NAS. This AVP is 
defined in IETF RFC 5447 [6]. The NAS may include this AVP in a request message to indicate the mobility 
capabilities of the NAS to the 3GPP AAA Server. Similarly, the Diameter server may include this AVP in an answer 
message to inform the NAS about which of the NAS indicated capabilities are supported or authorized by the 3GPP 
AAA Server. 

Following capabilities are supported on S6b reference point in MIPv4 FACoA mode: 

- MIP4_SUPPORTED 



9.2.3.6.4 



QoS-Capability 



The QoS-Capability AVP contains a list of supported Quality of Service profile templates (and therefore the support of 
the respective parameter AVPs). This AVP is defined in IETF RFC 5777 [9]. 
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9.2.3.6.5 QoS-Resources 

The QoS-Resources AVP includes a description of the Quality of Service resources for policing traffic flows. This AVP 
is defined in IETF RFC 5777 [9]. 

9.2.3.6.6 MIP-MN-HA-SPI 

The MIP-MN-HA-SPI AVP contains the index of the security association between the Mobile Node and the HA. This 
AVP is defined in IETF RFC 5778 [11]. 

9.2.3.6.7 MIP-Session-Key 

The MIP-Session-Key AVP contains the MN-HA shared key. This AVP is defined in IETF RFC 4004 [18]. 

9.2.4 Session Handling 

The Diameter protocol between the PDN-GW and the 3GPP AAA Server or the 3GPP AAA Proxy shall always keep 
session state, and use the same Session-Id parameter for the lifetime of each Diameter session. 

A Diameter session shall identify a PDN Connection for a given user and an APN, while the PDN Connection is kept 
alive in the non-3GPP access. When the PDN Connection is either disconnected on the non-3GPP access, or handed 
over to the 3GPP access, the diameter session shall be terminated. In order to indicate that the session state is to be 
maintained, the Diameter client and server shall not include the Auth-Session-State AVP, either in the request or in the 
response messages (see IETF RFC 3588 [7]). 



10 Result-Code and Experimental-Result Values 

10.1 General 

This section defines result code values that shall be supported by all Diameter implementations that conform to this 
specification. 

1 0.2 Success 

Result codes that fall within the Success category shall be used to inform a peer that a request has been successfully 
completed. The Result-Code AVP values defined in Diameter Base Protocol RFC 3588 [7] shall be applied. 

10.3 Permanent Failures 

10.3.1 General 

Errors that fall within the Permanent Failures category shall be used to inform the peer that the request has failed, and 
should not be attempted again. The Result-Code AVP values defined in Diameter Base Protocol RFC 3588 [7] shall be 
applied. When one of the result codes defined here is included in a response, it shall be inside an Experimental-Result 
AVP and the Result-Code AVP shall be absent. 

1 0.3.2 DIAMETER_ERROR_USER_UNKNOWN (5001 ) 

This result code shall be sent by the HSS to indicate that the user identified by the IMSI is unknown (see 3GPP TS 
29.299 [9]). 

1 0.3.3 DIAMETER_ERRORJDENTITY_NOT_REGISTERED (5003) 

This result code shall be sent by the HSS to indicate that there is currently no 3GPP AAA Server registered for the user 
(see 3GPP TS 29.299 [9]). 
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1 0.3.4 DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004) 

This result code shall be sent by the HSS to indicate that the subscriber is not allowed to roam in a certain non-3GPP V- 
PLMN (see 3GPP TS 29.299 [9]). 

10.3.5 DIAMETER_ERRORJDENTITY_ALREADY_REGISTERED(5005) 

This result code shall be sent by the HSS to indicate that the node identity trying to be registered by a 3GPP AAA 
Server is already registered for a specific user (see 3GPP TS 29.299 [9]). 

10.3.6 DIAMETER_ERR0R_USER_N0_N0N_3GPP_SUBSCRIPTI0N 
(5450) 

This result code shall be sent by the HSS to indicate that no non-3GPP subscription is associated with the IMSI. 

1 0.3.7 DIAMETER_ERROR_USER_NO_APN_SUBSCRIPTION (5451 ) 

This result code shall be sent by the 3GPP AAA Server to indicate that the requested APN is not included in the user's 
profile, and therefore is not authorized for that user. 

1 0.3.8 DIAMETER_ERROR_RAT_TYPE_NOT_ALLOWED (5452) 

This result code shall be sent by the HSS to indicate the RAT type the UE is using is not allowed for the IMSI. 

10.4 Transient Failures 
10.4.1 General 

Result codes that fall within the transient failures category shall be used to inform a peer that the request could not be 
satisfied at the time it was received, but may be able to satisfy the request in the future. The Result-Code AVP values 
defined in Diameter Base Protocol RFC 3588 [7] shall be applied. When one of the result codes defined here is included 
in a response, it shall be inside an Experimental-Result AVP and the Result-Code AVP shall be absent. 

There are no Transient Error codes defined in this specification. 
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